A successful ransomware attack on a single company has spread to at least 200 organizations and likely far more, according to cybersecurity firm Huntress Labs, making it one of the single largest criminal ransomware sprees in history.
The attack, first revealed Friday afternoon, is believed to be affiliated with the prolific ransomware gang REvil and perpetuated through Kaseya, an international company that remotely controls programs for companies that, in turn, manage internet services for businesses.
Kaseya announced Friday afternoon it was attacked by hackers and warned all its customers to immediately stop using its service. Nearly 40 of its customers were hacked, Kaseya said late Friday night.
Since those Kaseya customers manage hundreds or thousands of businesses, it is unclear how many will fall victim to ransomware over the weekend. But the number’s at least already around 200, said John Hammond, a senior security researcher at Huntress, which is helping with Kaseya’s response. That number expected to rise.
“It’s reasonable to think this could potentially be impacting thousands of small businesses,” Hammond said.
The timing, just ahead of Fourth of July weekend, is unlikely to be a coincidence. Ransomware hackers often time their attacks to start at the beginning of a holiday or weekend to minimize the number of cybersecurity professionals who might be able to quickly jump on and stop the malicious software’s spread.
Few American companies have come forward as victims so far. But a person familiar with some victims said that they included a large New Jersey educational services company, an outpatient surgical center in South Carolina and a mid-size law firm in Florida.
Because of the interconnected nature of internet services, the attack quickly spread internationally. One of Sweden’s largest grocery chains, Coop, has temporarily closed almost all of its nearly 800 stores because it was caught in the attack, a Coop spokesperson said in an email Saturday.
Coop was infected with ransomware because they use a European online software company, Visma EssCom, that provides services to more than 200 companies in 20 countries. Visma, which didn’t respond to request for comment, warned on its website Saturday that thanks to the attack on Kaseya, many stores that use Visma “cannot charge their customers when the cash registers are infected.” It’s unclear how many other companies were rendered inoperable through Visma.
Alex Dittemore, the founder of SoCal Computers, a small company that manages online services for about a dozen California businesses, said his company and all its clients were locked Friday with the ransomware. He keeps backups for all of them, he said, but hasn’t begun to restore their computers until Kaseya provides more guidance on when it was first infected with ransomware.
“One of the things that’s a little frustrating right now is that there’s not a lot of news coming down from Kaseya. We’re all in a holding pattern, just hanging tight,” he said.
“I’ve got 300, 400 people on Tuesday that are expecting to come back to work,” Dittemore said. “It would be nice if we could get some kind of decryption key or golden bullet.”
Computers at the local Teamsters 2010, a customer of Dittemore, were totally locked up, said that branch’s vice president, Mary Higgins. The national Teamsters were not affected, a spokesperson said.
The malicious software used to encrypt victims’ computers appears similar to the type normally used by REvil, a ransomware gang largely composed of Russian-speakers, multiple researchers have found. In the past, REvil has attempted “supply chain” compromises, where a hacker goes after a target that is connected to multiple organizations, in the hopes that one successful compromise will lead to many more.
REvil was also behind the ransomware attack on JBS, the major meat processing plant that was forced to briefly shut down its U.S. operations in June.
The U.S. Cybersecurity and Infrastructure Security Agency announced Friday evening that it is “taking action to understand and address” the attack.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said his agency and the FBI have begun assessing the scenario.
“CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” Goldstein said in an emailed statement.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance,” he said.