On Friday, a flood of ransomware hit hundreds of companies around the world. A grocery store chain, a public broadcaster, schools, and a national railway system were all hit by the file-encrypting malware, causing disruption and forcing hundreds of businesses to close.
The victims had something in common: a key piece of network management and remote control software developed by U.S. technology firm Kaseya. The Miami-headquartered company makes software used to remotely manage a company’s IT networks and devices. That software is sold to managed service providers — effectively outsourced IT departments — which they then use to manage the networks of their customers, often smaller companies.
But hackers associated with the Russia-linked REvil ransomware-as-a-service group are believed to have used a never-before-seen security vulnerability in the software’s update mechanism to push ransomware to Kaseya’s customers, which in turn spread downstream to their customers. Many of the companies who were ultimately victims of the attack may not have known that their networks were monitored by Kaseya’s software.
Kaseya warned customers on Friday to “IMMEDIATELY” shut down their on-premise servers, and its cloud service — though not believed to be affected — was pulled offline as a precaution.
John Hammond, senior security researcher at Huntress Labs, a threat detection firm that was one of the first to reveal the attack, said about 30 managed service providers were hit, allowing the ransomware to spread to “well over” 1,000 businesses.” Security firm ESET said it knows of victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.
On Monday night, Kaseya said in an update that about 60 Kaseya customers were affected and put the downstream number of victims at fewer than 1,500 companies.
Now it’s becoming clearer just how the hackers pulled off one of the biggest ransomware attacks in recent history.
Dutch researchers said they found several zero-day vulnerabilities in Kaseya’s software as part of an investigation into the security of web-based administrator tools. (Zero-days are named as such since it gives companies zero days to fix the problem.) The bugs were reported to Kaseya and were in the process of being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.
Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised, lending greater credence to the working theory by security researchers that servers run by Kaseya’s customers were compromised individually using a common vulnerability.
The company said that all servers running the affected software should stay offline until the patch is ready. Voccola told the paper that it expects patches to be released by late Monday.
The attack began late Friday afternoon, just as millions of Americans were logging off into the long July 4 weekend. Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the attack was carefully timed.
“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down,” said Meyers.
A notice posted over the weekend on a dark web site known to be run by REvil claimed responsibility for the attack, and that the ransomware group would publicly release a decryption tool if it is paid $70 million in bitcoin.
“More than a million systems were infected,” the group claims in the post.