A major new ransomware attack by the same group that hit meat supplier JBS Foods this spring is being investigated by US cyber officials.
The REvil malware this time infected a wide range of IT management firms, compromising hundreds of their corporate clients.
According to cybersecurity experts, the cybercriminal gang, which is thought to be based in Eastern Europe or Russia, targeted Kaseya, a key software vendor whose products are widely used by IT management companies.
President Joe Biden stated on Saturday that the US government does not know who is responsible for the attack, but that he has directed federal agencies to assist in the response.
“The fact is that I directed the intelligence community to give me a deep dive on what’s happened and I’ll know better tomorrow. And if it is either with the knowledge of and/or the consequence of Russia, then I told Putin we will respond,” Biden said, referring to his meeting with the Russian leader last month.
“We’re not certain. The initial thinking it was not the Russian government but we’re not sure yet,” he added.
According to Kyle Hanslovan, CEO of cybersecurity firm Huntress Labs, “this latest ransomware attack has already knocked out at least a dozen IT support firms that rely on Kaseya’s remote management tool called VSA.”
The attackers demanded a $5 million ransom in at least one case, according to Hanslovan.
According to Hanslovan, the incident not only affects IT management companies, but also their corporate clients who have outsourced IT management to them. He estimated that the hack could affect up to 1,000 small-to-medium-sized businesses.
“This is very new, and we don’t know the scale yet,” Hanslovan said.
Cybercriminals have been increasingly targeting organizations that play critical roles across broad swaths of the US economy in recent months. Fuel shipments to gas stations all along the east coast were disrupted by a high-profile attack against Colonial Pipeline in May, prompting widespread panic buying. All nine of JBS’s beef processing plants in the United States were temporarily shut down as a result of the cyberattack.
Experts in cybersecurity are concerned about the latest, rapidly unfolding attack.
“Shut down Kaseya VSA now until told to reactivate and initiate (incident response),” tweeted Christopher Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. CISA stated in its own advisory that it is working to understand and address the problem.
Kaseya said it has shut down its cloud servers while it investigates the VSA incident in a blog post.
“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of an abundance of caution.”
According to Emsisoft’s analysis of the malicious software, it was created by REvil, the ransomware gang that has been blamed by US officials for compromising JBS Foods.
Three of the compromised IT service providers, on the other hand, are Huntress Labs’ own cybersecurity clients, according to Hanslovan.
“We have direct knowledge of it now and we have confirmed it is indeed REvil,” Hanslovan said.
According to Hanslovan, the malware has infected up to 200 customers of the three affected IT service providers.
According to Hanslovan, the ransomware was secretly embedded in Kaseya VSA, which aided in the spread of the malicious software because VSA is used by IT management companies to distribute software updates to their customers. It’s unclear how Kaseya’s software was hacked in the first place.
This supply chain attack is similar to the one used by Russian hackers in the SolarWinds hack, except the malicious software was used to hijack victim networks instead of spying on them.