The weekend of Independence Day turned to chaos for several IT companies when they were struck by what’s being called the largest ransomware attack on record.
A handful of small managed service providers, along with one of the largest IT vendors in operation, Kaseya, stood at ground zero of the attack. The IT providers’ clients were exposed to the ransomware in turn, and the damage toll continues to mount.
Current estimates are that up to 1,500 businesses have been breached, according to a statement from Kaseya on Monday.
The bad actors responsible are believed to be affiliated with the hacking group REvil. Perpetrators have made ransom demands of individual victims ranging from $6000 into the millions. They have also offered to release a master code that would unlock all compromised machines for $70 million. Several victims have already paid up, such as meat producer JBS who paid $11 million to restore their operations.
The attack struck Kaseya’s software which is used to monitor and manage IT networks. Since this software is built to operate remotely, many Kaseya users IT providers who managed portfolios of clients from a centralized location. This attack exposed their own customers to the ransomware, increasing the damage exponentially.
CNN reports that hundreds of businesses were forced to shut down over the weekend because their IT provider was compromised, and small businesses and government agencies around the world were also affected.
Supply chain attacks such as these — wherein widely-used software is compromised to attack the users — are especially damaging since they can strike so many organizations at once. Kaseya promised to release a patch to prevent further exploitation of this vulnerability as soon as possible.
Was the Kaseya Hack an Inside Job?
Prior to discovery of the attack, Dutch researchers found several zero-day vulnerabilities in Kaseya’s software as part of an investigation into web-based administrator tools. According to Victor Gevers, one of the researchers, these zero-days were reported to Kaseya and were in the process of being addressed when the attack was carried out.
Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised. This provides some evidence that the servers run by Kaseya’s customers were compromised individually using a common vulnerability.
The timing of the attack makes some wonder if there wasn’t an insider threat in play. It’s possible that someone close to the research — or within Kaseya itself — leaked information about the upcoming patches and forced the attack to be carried out ahead of schedule. While the presence of insider threats is not uncommon, it seems less likely in this scenario. The timing of the attack was most likely deliberate, potentially politically motivated, as another recent strike by REvil was executed on Memorial Day weekend.
“Hackers are opportunists,” says Noftek CEO Letson Jackson. “It’s probable that they chose a holiday weekend to attack because many IT companies would be caught off guard. If a higher number of technicians are taking the weekend off for the Fourth of July, there are fewer people on hand to try to remediate the problem.”
When asked if Noftek’s Data Vaccination solution could have protected the victims from this specific attack, Jackson responded: “Yes, absolutely. As long as they have their data backed up. They would still need to address the hack itself, but they could have done it with a lot less panic and fear over losing their data or paying a ransom.”
U.S. officials say they are investigating the hack, but additional information has been sparse so far. Those affected by this attack are encouraged to contact the FBI cybercrimes division.