CRIMINAL CRYPTO CAPITALI$M
Hundreds of companies around the world paralyzed by ransomware attackA successful ransomware attack on a single company has spread to at least 200 organizations, according to cybersecurity firm Huntress Labs, making it one of the single largest criminal ransomware sprees in history.
© Provided by NBC News
The attack, first revealed Friday afternoon, is believed to be affiliated with the prolific ransomware gang REvil and perpetuated through Kaseya, an international company that remotely controls programs for companies that, in turn, manage internet services for businesses.
Kaseya announced Friday afternoon it was attacked by hackers and warned all its customers to immediately stop using its service. Nearly 40 of its customers were hacked, Kaseya said late Friday night.
Since those Kaseya customers manage hundreds or thousands of businesses, it is unclear how many will fall victim to ransomware over the weekend. But the number's at least already around 200, said John Hammond, a senior security researcher at Huntress, which is helping with Kaseya's response. That number expected to rise.
The timing, just ahead of Fourth of July weekend, is unlikely to be a coincidence. Ransomware hackers often time their attacks to start at the beginning of a holiday or weekend to minimize the number of cybersecurity professionals who might be able to quickly jump on and stop the malicious software's spread.
Because of the interconnected nature of internet services, the attack quickly spread internationally. One of Sweden's largest grocery chains, Coop, has temporarily closed almost all of its nearly 800 stores because it was caught in the attack, a Coop spokesperson said in an email Saturday.
Video: White House warns companies about major surge in ransomware attacks (CNBC)
Alex Dittemore, the founder of SoCal Computers, a small company that manages online services for about a dozen California businesses, said his company and all its clients were locked Friday with the ransomware. He keeps backups for all of them, he said, but hasn't begun to restore their computers until Kaseya provides more guidance on when it was first infected with ransomware.
"One of the things that's a little frustrating right now is that there's not a lot of news coming down from Kaseya. We're all in a holding pattern, just hanging tight," he said.
"I've got 300, 400 people on Tuesday that are expecting to come back to work," Dittemore said. "It would be nice if we could get some kind of decryption key or golden bullet."
Computers at the local Teamsters 2010, a customer of Dittemore, were totally locked up, said that branch's vice president, Mary Higgins. The national Teamsters were not affected, a spokesperson said.
The malicious software used to encrypt victims' computers appears similar to the type normally used by REvil, a ransomware gang largely composed of Russian-speakers, multiple researchers have found. In the past, REvil has attempted "supply chain" compromises, where a hacker goes after a target that is connected to multiple organizations, in the hopes that one successful compromise will lead to many more.
The U.S. Cybersecurity and Infrastructure Security Agency announced Friday evening that it is "taking action to understand and address" the attack.
Eric Goldstein, CISA's executive assistant director for cybersecurity, said his agency and the FBI have begun assessing the scenario.
“CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact," Goldstein said in an emailed statement.
"We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya's guidance," he said.
EXPLAINER: Ransomware and its role in supply chain attacks
Another holiday weekend in the U.S., another ransomware attack that has paralyzed businesses around the world.
This time it's affecting an untold number of small and big companies that use IT software from a company called Kaseya.
High-profile ransomware attacks in May hit the world’s largest meat-packing company and the biggest U.S. fuel pipeline, underscoring how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.
WHAT IS RANSOMWARE? HOW DOES IT WORK?
Ransomware scrambles the target organization’s data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.
Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they sometimes quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments.
WHAT'S A SUPPLY-CHAIN ATTACK?
The latest attack affecting Kaseya customers combines a ransomware operation with what's known as a supply-chain attack, which typically involves sneaking malicious code into a software update automatically pushed out to thousands of organizations.
Kaseya says the ransomware affected its product for remotely monitoring networks; but because many of its clients are providers of broader IT management services, a large number of organizations is likely to be affected.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” said John Hammond of the security firm Huntress Labs. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”
Until now, the best-known recent supply-chain attack was attributed to elite Russian hackers and targeted software provider SolarWinds. But the motive was different; it was a massive intelligence operation targeting government agencies and others, not an attempt to extort money.
HOW DO RANSOMWARE GANGS OPERATE?
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments — and their laundering — harder to track.
Most experts have tied the Kaseya attack to a group known as REvil, the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, amid the Memorial Day holiday weekend.
Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
WHO IS AFFECTED?
The scale of the attack affecting Kaseya is not yet clear, but it's already been blamed for closing stores across a grocery chain in Sweden because their cash registers weren’t working.
Last year alone in the U.S., ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.
The Associated Press
The attack, first revealed Friday afternoon, is believed to be affiliated with the prolific ransomware gang REvil and perpetuated through Kaseya, an international company that remotely controls programs for companies that, in turn, manage internet services for businesses.
Kaseya announced Friday afternoon it was attacked by hackers and warned all its customers to immediately stop using its service. Nearly 40 of its customers were hacked, Kaseya said late Friday night.
Since those Kaseya customers manage hundreds or thousands of businesses, it is unclear how many will fall victim to ransomware over the weekend. But the number's at least already around 200, said John Hammond, a senior security researcher at Huntress, which is helping with Kaseya's response. That number expected to rise.
The timing, just ahead of Fourth of July weekend, is unlikely to be a coincidence. Ransomware hackers often time their attacks to start at the beginning of a holiday or weekend to minimize the number of cybersecurity professionals who might be able to quickly jump on and stop the malicious software's spread.
Because of the interconnected nature of internet services, the attack quickly spread internationally. One of Sweden's largest grocery chains, Coop, has temporarily closed almost all of its nearly 800 stores because it was caught in the attack, a Coop spokesperson said in an email Saturday.
Video: White House warns companies about major surge in ransomware attacks (CNBC)
Alex Dittemore, the founder of SoCal Computers, a small company that manages online services for about a dozen California businesses, said his company and all its clients were locked Friday with the ransomware. He keeps backups for all of them, he said, but hasn't begun to restore their computers until Kaseya provides more guidance on when it was first infected with ransomware.
"One of the things that's a little frustrating right now is that there's not a lot of news coming down from Kaseya. We're all in a holding pattern, just hanging tight," he said.
"I've got 300, 400 people on Tuesday that are expecting to come back to work," Dittemore said. "It would be nice if we could get some kind of decryption key or golden bullet."
Computers at the local Teamsters 2010, a customer of Dittemore, were totally locked up, said that branch's vice president, Mary Higgins. The national Teamsters were not affected, a spokesperson said.
The malicious software used to encrypt victims' computers appears similar to the type normally used by REvil, a ransomware gang largely composed of Russian-speakers, multiple researchers have found. In the past, REvil has attempted "supply chain" compromises, where a hacker goes after a target that is connected to multiple organizations, in the hopes that one successful compromise will lead to many more.
The U.S. Cybersecurity and Infrastructure Security Agency announced Friday evening that it is "taking action to understand and address" the attack.
Eric Goldstein, CISA's executive assistant director for cybersecurity, said his agency and the FBI have begun assessing the scenario.
“CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact," Goldstein said in an emailed statement.
"We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya's guidance," he said.
EXPLAINER: Ransomware and its role in supply chain attacks
Another holiday weekend in the U.S., another ransomware attack that has paralyzed businesses around the world.
This time it's affecting an untold number of small and big companies that use IT software from a company called Kaseya.
High-profile ransomware attacks in May hit the world’s largest meat-packing company and the biggest U.S. fuel pipeline, underscoring how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.
WHAT IS RANSOMWARE? HOW DOES IT WORK?
Ransomware scrambles the target organization’s data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.
Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they sometimes quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments.
WHAT'S A SUPPLY-CHAIN ATTACK?
The latest attack affecting Kaseya customers combines a ransomware operation with what's known as a supply-chain attack, which typically involves sneaking malicious code into a software update automatically pushed out to thousands of organizations.
Kaseya says the ransomware affected its product for remotely monitoring networks; but because many of its clients are providers of broader IT management services, a large number of organizations is likely to be affected.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” said John Hammond of the security firm Huntress Labs. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”
Until now, the best-known recent supply-chain attack was attributed to elite Russian hackers and targeted software provider SolarWinds. But the motive was different; it was a massive intelligence operation targeting government agencies and others, not an attempt to extort money.
HOW DO RANSOMWARE GANGS OPERATE?
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments — and their laundering — harder to track.
Most experts have tied the Kaseya attack to a group known as REvil, the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, amid the Memorial Day holiday weekend.
Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms.
WHO IS AFFECTED?
The scale of the attack affecting Kaseya is not yet clear, but it's already been blamed for closing stores across a grocery chain in Sweden because their cash registers weren’t working.
Last year alone in the U.S., ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.
The Associated Press