Clear
STREAMING NOW: Watch Now

A massive ransomware attack hit hundreds of businesses. Here's what we know

A massive ransomware attack hit hundreds of businesses. Here's what we know

Posted: Jul 6, 2021 6:00 PM
Updated: Jul 6, 2021 6:00 PM
Posted By: By Clare Duffy, CNN Business

Businesses and governments around the world are scrambling to understand yet another major ransomware attack that hit over the weekend, which could potentially cost tens of millions of dollars and affect more than 1,000 other companies.

Hackers hit a range of IT management companies and compromised their corporate clients by targeting a key software vendor called Kaseya. On Monday, the attackers requested a $70 million payment in bitcoin in exchange for a decryption tool that could help victims recover from the attack.

Kaseya is the latest ransomware victim in a string of attacks that have also hit major fuel supplier Colonial Pipeline and meat processor JBS Foods, prompting worries among researchers, corporate leaders and US officials about cyber risks to physical and digital infrastructure.

Given that the attack hit just before a holiday weekend, the full extent of the damage may not be known until this week. Here's what we know so far.

Who was affected?

On Friday afternoon, Kaseya was alerted to a potential attack involving a remote management software called VSA, the company said in a statement. Within an hour, it shut down access to that software in an effort to stem the attack's spread. By Saturday, US officials said they were tracking the attack.

Kaseya provides technology that helps other companies manage their information technology — essentially, the digital backbone of their operations. In many cases, Kaseya sells its technology to third-party service providers, which manage IT for other companies, often small- and medium-sized businesses. In short, by targeting Kaseya's software, attackers had easier access to a range of different companies' networks.

Over the weekend, experts said the attack had already knocked out at least a dozen IT support firms that rely on Kaseya's remote management tool. The incident not only affects Kaseya's IT management customers, but also those companies' corporate clients that have outsourced IT management to them.

Kaseya on Tuesday said around 50 of its customers that use the on-premises version of VSA had been directly compromised by the attack — but it said as many as 1,500 downstream businesses around the world have been compromised. These include dentists' offices, small accounting offices and local restaurants, the company said.

Kaseya's chief executive, Fred Voccola, added in an interview with Reuters Monday it is hard to gauge the full impact of the attack, but he was not aware of any nationally important organizations being compromised in the attack.

"We're not looking at massive critical infrastructure," he told Reuters. "That's not our business. We're not running AT&T's network or Verizon's 911 system. Nothing like that."

Who was behind it?

REvil is the criminal hacking gang whose malware was behind the Kaseya attack, cyber researchers have said.

The group, which is believed to operate out of Eastern Europe or Russia, is one of the most infamous "ransomware-as-a-service" providers, meaning it supplies tools for others to carry out ransomware attacks and takes a cut of the profits. It also executes some of its own attacks.

Experts have been tracking REvil since it emerged in 2019 and quickly became a sort of "thought leader" in the hacking space, said Jon DiMaggio, the chief security strategist at cybersecurity firm Analyst1 who tracks ransomware groups. Several hacking groups, including the DarkSide gang that carried out the Colonial Pipeline attack in May, are thought to have been created by people who originally worked for REvil, DiMaggio said.

REvil is believed to operate out of Eastern Europe or Russia because its representatives communicate online in Russian and its attacks are generally designed to avoid Russian devices, experts say. US officials have urged Russia to take action to prosecute cybercriminal groups operating within the country.

REvil was also behind several other recent, high-profile ransomware attacks — it hit JBS Foods last month, Apple supplier Quanta Computer in April and electronics maker Acer in March.

About the timing...

It's not surprising that the attack hit just ahead of a major holiday weekend. Experts say holidays and long weekends are the best times for hackers to execute ransomware attacks because it gives them more time to encrypt files and devices before anyone has a chance to notice and respond.

Executing the attack on Fourth of July weekend, in particular, may have also been intentional, according to DiMaggio.

After US officials took out DarkSide following the Colonial Pipeline attack and reclaimed some of the ransom it had received, REvil took to online hacking forums to say that ransomware groups would not be deterred by the United States, DiMaggio said.

"They've always seemed anti-US but especially since the DarkSide takedown, and now we're seeing this massive attack against our infrastructure on Independence Day weekend," he said. "I think it's sending a very strong message."

How has the White House responded?

The White House has urged companies who believe their systems were compromised by the attack to immediately report it to the Internet Crime Complaint Center.

"Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response," said Anne Neuberger, deputy national security advisor for cyber and emerging technology, on Sunday. "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims."

President Joe Biden also said in a press briefing over the weekend that, while officials are still investigating the source of the attack, the United States could retaliate if the Russian government is involved.

"If it is either with the knowledge of and/or the consequence of Russia, then I told Putin we will respond," Biden said Saturday, referring to his meeting with the Russian leader last month. "We're not certain. The initial thinking it was not the Russian government but we're not sure yet."

What should we learn?

The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya's customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.

SolarWinds — the company that was hit by a devastating security breach last year — similarly provides IT management software to many Fortune 500 firms and government agencies.

While attacks on these kinds of providers are not new, MSPs represent a big opportunity for hackers because of the way they interact with other companies' networks, DiMaggio said. In many cases, there are no technical checks on software updates coming from these providers because they are considered "trusted" partners, potentially leaving customers vulnerable to bad actors that could embed ransomware payloads into those updates.

"There's going to have to be more checks and balances for any third-party vendor," he said.

The-CNN-Wire
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.

Related Content

Scroll for more content...
Terre Haute
Partly Cloudy
89° wxIcon
Hi: 90° Lo: 70°
Feels Like: 94°
Robinson
Clear
89° wxIcon
Hi: 91° Lo: 68°
Feels Like: 94°
Indianapolis
Partly Cloudy
88° wxIcon
Hi: 90° Lo: 71°
Feels Like: 92°
Rockville
Clear
87° wxIcon
Hi: 90° Lo: 69°
Feels Like: 96°
Casey
Partly Cloudy
87° wxIcon
Hi: 89° Lo: 70°
Feels Like: 92°
Brazil
Partly Cloudy
89° wxIcon
Hi: 90° Lo: 70°
Feels Like: 94°
Marshall
Partly Cloudy
89° wxIcon
Hi: 89° Lo: 68°
Feels Like: 94°
Very Warm & Humid
WTHI Planner
WTHI Temps
WTHI Radar

Most Popular Stories

Latest Video

Image

Holiday travel coming to an end

Image

Visit Indiana; site ready to help Hoosiers plan summer road trips

Image

Tuesday: Patchy fog, mostly sunny. High: 91

Image

Deming Park Long Weekend Fun

Image

Vigo County is gearing up for their annual county fair

Image

The Clay County Historical Museum has recently opened its doors again

Image

Salvation Army looking to help students in need

Image

Work continues moving along at the new convention center in down-town Terre Haute

Image

Linton residents gather for annual Freedom Festival parade

Image

Monday night: Mostly clear, warmer, light southwest wind. Low: 70°

WTHI Events

 

In Case You Missed It

${article.thumbnail.title}

Amcor releases statement following July 2 vote

${article.thumbnail.title}

Trace Adkins: The Way I Wanna Go Tour

${article.thumbnail.title}

SCAM ALERT: Con artists use patriotism to steal money and information

Image

Local officials react to setback in Terre Haute casino process

${article.thumbnail.title}

SCAM ALERT: Avoid phony Amazon calls

${article.thumbnail.title}

SCAM ALERT: Social media influencer ruse

${article.thumbnail.title}

SCAM ALERT: Beware of knock-off car seats

Image

Police make arrests in deadly shooting case

${article.thumbnail.title}

SCAM ALERT: Fake change-of-address websites

${article.thumbnail.title}

SCAM ALERT: Fraudsters claim Apple iCloud breach to steal your info

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Cases: 1392552

Reported Deaths: 25678
CountyCasesDeaths
Cook55717310494
DuPage925951320
Will770811039
Lake684661022
Kane59564811
Winnebago34231514
Madison31180532
McHenry29212297
St. Clair28609519
Peoria23478343
Champaign21163156
Sangamon19165240
McLean18573190
Tazewell17257306
Rock Island15260329
Kankakee14613217
Kendall1331399
LaSalle12802252
Macon11018212
DeKalb10164121
Vermilion10054146
Adams8840127
Williamson7663136
Whiteside7210174
Boone685079
Ogle623684
Grundy599578
Clinton579891
Coles5779101
Knox5666156
Jackson512365
Henry508270
Livingston490892
Woodford486483
Stephenson484286
Macoupin481289
Effingham477474
Franklin455578
Marion4546117
Jefferson4459122
Monroe440594
Lee419754
Randolph417587
Fulton405259
Logan400964
Morgan398383
Christian384475
Montgomery380174
Bureau379485
Fayette322855
Perry320460
Iroquois316168
McDonough295451
Jersey272552
Saline261357
Douglas261036
Lawrence240727
Shelby232938
Union231441
Crawford214525
Bond209124
Cass205027
Ford189250
Clark185233
Warren184849
Pike183753
Jo Daviess183024
Hancock182931
Wayne182253
Carroll178837
Edgar177241
Richland176940
White170726
Washington165125
Moultrie163728
De Witt157529
Mason156045
Piatt152614
Clay150843
Mercer150034
Johnson148216
Greene145734
Wabash138012
Massac136440
Cumberland130419
Menard125712
Jasper116718
Marshall108419
Hamilton84716
Schuyler7837
Brown7526
Pulaski7037
Stark64824
Edwards58412
Calhoun5312
Henderson52914
Scott4921
Putnam4893
Alexander47611
Gallatin4704
Hardin39112
Pope3324
Unassigned612433
Out of IL20

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Cases: 754724

Reported Deaths: 13863
CountyCasesDeaths
Marion1036101790
Lake562641017
Allen41854693
St. Joseph37046566
Hamilton36732423
Elkhart29478465
Tippecanoe23028229
Vanderburgh22671402
Porter19427327
Johnson18527389
Hendricks17762319
Clark13251196
Madison13226344
Vigo12667254
LaPorte12458222
Monroe12287177
Delaware10993198
Howard10421227
Kosciusko9655123
Hancock8612146
Bartholomew8180157
Warrick7888156
Floyd7840180
Grant7269180
Wayne7177201
Boone7035104
Morgan6791142
Marshall6258116
Dubois6228118
Cass6040110
Dearborn591478
Henry5906111
Noble583289
Jackson509877
Shelby504497
Lawrence4782124
Gibson447995
Clinton446455
Montgomery443491
DeKalb442585
Harrison442275
Whitley407944
Huntington404281
Steuben402359
Miami398169
Jasper391755
Knox379991
Putnam374361
Wabash363083
Ripley348670
Adams345756
Jefferson336586
White334954
Daviess3054100
Wells297181
Decatur290092
Greene288285
Fayette285164
Posey275635
LaGrange273972
Scott270758
Clay269448
Washington246737
Randolph245483
Jennings235449
Spencer234631
Starke228559
Fountain227048
Sullivan215943
Owen213858
Fulton204543
Jay201732
Carroll194222
Orange188855
Perry187337
Vermillion176544
Rush176326
Franklin170535
Tipton167547
Parke150116
Pike138534
Blackford136532
Pulaski120948
Newton117636
Benton106114
Brown104643
Crawford102516
Martin92015
Warren85815
Switzerland8218
Union73110
Ohio58011
Unassigned0424