AP

Scale, details of massive Kaseya ransomware attack emerge

Jul 4, 2021, 5:09 PM | Updated: 6:47 pm

FILE - This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. A ransomwa...

FILE - This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, July 2, 2021, according to a cybersecurity researcher whose company was responding to the incident. (AP Photo/Jenny Kane, File)

(AP Photo/Jenny Kane, File)

BOSTON (AP) — Cybersecurity teams worked feverishly Sunday to stem the impact of the Kaseya ransomware attack — the single biggest global ransomware attack on record. And a few of the details are emerging about how the Russia-linked gang thought responsible for the attack breached the company whose software was the conduit.

The reach and scale of the Kaseya ransomware attack

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

They reported ransom demands of up to $5 million.

The FBI said in a statement Sunday that it was investigating the attack along with the federal Cybersecurity and Infrastructure Security Agency, though “the scale of this incident may make it so that we are unable to respond to each victim individually.”

President Joe Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. He said he had asked the intelligence community for a “deep dive” on what happened.

The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.

Businesses, public agencies on all continents were hit

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. Ransomware criminals break into networks and sow malware that cripples networks on activation by scrambling all their data. Victims get a decoder key when they pay up.

The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled.

A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.

CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”

Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.

Attack planned for the eve of a US holiday

Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed. Many victims may not learn of it until they are back at work on Monday. The vast majority of end customers of managed service providers “have no idea” what kind of software is used to keep their networks humming, said Voccola,

Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.

John Hammond of Huntress Labs, one of the first cybersecurity firms to sound the alarm on the attack, said he’d seen $5 million and $500,000 demands by REVil for the decryptor key needed to unlock scrambled networks. The smallest amount demanded appears to have been $45,000.

How ransom hunters typically catch their prey 

Sophisticated ransomware gangs on REvil’s level usually examine a victim’s financial records — and insurance policies if they can find them — from files they steal before activating the data-scrambling malware. The criminals then threaten to dump the stolen data online unless paid. It was not immediately clear if this attack involved data theft, however. The infection mechanism suggests it did not.

“Stealing data typically takes time and effort from the attacker, which likely isn’t feasible in an attack scenario like this where there are so many small and mid-sized victim organizations,” said Ross McKerchar, chief information security officer at Sophos. “We haven’t seen evidence of data theft, but it’s still early on and only time will tell if the attackers resort to playing this card in an effort to get victims to pay.”

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.

“The level of sophistication here was extraordinary,” he said.

When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.

History of attacks against managed services providers

It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one.

That same year, 400 U.S. dental practices were crippled in a separate attack.

One of the Dutch vulnerability researchers, Victor Gevers, said his team is worried about products like Kaseya’s VSA because of the total control of vast computing resources they can offer. “More and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote in a blog Sunday.

The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Kaseya says the attack only affected “on-premise” customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.

Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.

Who or what is REvil?

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he does not believe the Kaseya attack is Kremlin-directed, it shows that Putin “has not yet moved” on shutting down cybercriminals.
___
AP reporters Eric Tucker in Washington, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.

We want to hear from you.

Have a story idea or tip? Send it to the KSL NewsRadio team here.

AP

Denver Broncos quarterback Russell Wilson (3) throws during the first half of an NFL football game ...

ARNIE STAPLETON AP Pro Football Writer

Denver Broncos inform QB Russell Wilson they’ll release him when new league year begins

Two years ago, Russell Wilson declared he intended to play a dozen years in Denver, now, it doesn't seem that plan is going to work out.

2 hours ago

Hannah Gutierrez-Reed, center, sits with her attorney Jason Bowles, left, during testimony in the t...

MORGAN LEE Associated Press

Ammo supplier says he provided no live rounds in fatal shooting of cinematographer by Alec Baldwin

Ammo supplier testified that he provided dummy rounds to the "Rust" set where Alex Baldwin fatally shot a cinematographer.

2 hours ago

Republican presidential candidate former UN Ambassador Nikki Haley speaks at a Republican campaign ...

WILL WEISSERT Associated Press

Haley says she raised $12M in February, can’t point to long-term plan to beat Trump

Republican presidential candidate Nikki Haley said Friday that she raised $12 million in February, a haul that will likely allow her to remain in the Republican primary against former President Donald Trump past next week's Super Tuesday — even though she can't point to an upcoming state where she expects to beat him.

4 days ago

February, 29, otherwise know as leap year day, is shown on a calendar Sunday, Feb. 25, 2024, in Ove...

LEANNE ITALIE AP Lifestyles Writer

What would happen without a Leap Day? More than you might think

Leap year. It's a delight for the calendar and math nerds among us. So how did it all begin and why?

5 days ago

Republican presidential candidate former President Donald Trump speaks at a primary election night ...

MEG KINNARD and WILL WEISSERT Associated Press

Trump wins South Carolina, easily beating Haley in her home state and closing in on GOP nomination

Donald Trump won South Carolina's Republican primary on Saturday further consolidating his path to a third straight GOP nomination.

10 days ago

Hannah Gutierrez-Reed, center, sits with her attorney Jason Bowles, left, during the first day of t...

MORGAN LEE Associate Press

Negligence or scapegoating? Trial of ‘Rust’ armorer begins in fatal shooting by Alec Baldwin

Prosecutors sought to pin blame on a movie weapons supervisor for bringing live ammunition on set that contributed to the fatal shooting of a cinematographer by Alec Baldwin during production of the film "Rust."

11 days ago

Sponsored Articles

Mother and cute toddler child in a little fancy wooden cottage, reading a book, drinking tea and en...

Visit Bear Lake

How to find the best winter lodging in Bear Lake, Utah

Winter lodging in Bear Lake can be more limited than in the summer, but with some careful planning you can easily book your next winter trip.

Happy family in winter clothing at the ski resort, winter time, watching at mountains in front of t...

Visit Bear Lake

Ski more for less: Affordable ski resorts near Bear Lake, Utah

Plan your perfect ski getaway in Bear Lake this winter, with pristine slopes, affordable tickets, and breathtaking scenery.

front of the Butch Cassidy museum with a man in a cowboy hat standing in the doorway...

Bear Lake Convention and Visitors Bureau

Looking Back: The History of Bear Lake

The history of Bear Lake is full of fascinating stories. At over 250,000 years old, the lake has seen generations of people visit its shores.

silhouette of a family looking over a lake with a bird in the top corner flying...

Bear Lake Convention and Visitors Bureau

8 Fun Activities To Do in Bear Lake Without Getting in the Water

Bear Lake offers plenty of activities for the whole family to enjoy without having to get in the water. Catch 8 of our favorite activities.

Wellsville Mountains in the spring with a pond in the foreground...

Wasatch Property Management

Advantages of Renting Over Owning a Home

Renting allows you to enjoy luxury amenities and low maintenance without the long-term commitment and responsibilities of owning a home.

Clouds over a red rock vista in Hurricane, Utah...

Wasatch Property Management

Why Southern Utah is a Retirement Paradise

Retirement in southern Utah offers plenty of cultural and recreational opportunities. Find out all that this region has to offer.

Scale, details of massive Kaseya ransomware attack emerge