Hackers began a ransomware attack on Friday, hitting at least 200 companies, according to cyber security researchers.
In what appears to be one of the largest supply chain attacks to date, hackers compromised Kaseya, an IT management software supplier, in order to spread ransomware to the managed service providers that use its technology, as well as to their clients in turn.
Cyber security group Huntress Labs attributed the attacks to REvil, the notorious Russia-linked ransomware cartel that the FBI claimed was behind recent crippling attack on beef supplier JBS.
The attack is the latest example of hackers weaponising the IT supply chain in order to attack victims at scale, by breaching just one provider. Last year, it emerged that Russian state-backed hackers had hijacked the SolarWinds IT software group in order to penetrate the email networks of US federal agencies and corporations, for example.
Late on Friday, Kaseya estimated that around 40 of its direct 36,000 customers had been affected by the attacks. It urged those using the compromised “VSA server” tool, which provides remote monitoring and patching capabilities, to shut it down immediately.
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” the company added.
Meanwhile, Huntress said that three managed service providers it worked with had been compromised, resulting in around 200 businesses falling victim to ransomware attacks — where data is encrypted by hackers and only released if a ransom is paid.
Huntress said that it was aware of at least eight compromised cloud service providers, suggesting the number of ransomware victims could be far higher.
Allan Liska of Recorded Future’s computer security incident response team said that the clients of managed service providers tend to be small and medium size companies seeking IT support. But the attacks highlight the risks of relying on centralised third parties, he said.
“We’ve essentially handed over too much trust so that if something happens to them, it becomes a catastrophic event for your organisation through no fault of your own,” he said.
In an alert, the Cybersecurity and Infrastructure Security Agency said that it was “taking action to understand and address the recent supply-chain ransomware attack”.
The campaign is the latest in a series of audacious ransomware attacks this year, including on America’s Colonial Pipeline, which have prompted pledges from the Biden administration to crack down on perpetrators.
At last month’s Geneva summit, president Joe Biden urged Russian president Vladimir Putin to rein in ransomware hackers, many of which are believed to operate with impunity in the country.