According to the security department, hundreds of American companies have been affected by ransomware. It attacks by paralyzing at least 200 U.S. networks.
According to John Hammond of Huntress Labs, the REvil group, a large Russian-speaking ransomware group, seems to be behind the attack.
On Friday, John Hammond, a researcher at a cybersecurity company and a security company Huntress Labs, said that the REvil group, a large Russian-speaking ransomware group, was behind the attack.
Kaseya’s software company uses its control packet network as a channel for distributing ransomware through cloud providers.
Other researchers agreed with Hammond’s assessment. “Expand to businesses of all sizes and scales,” Hammond said in a direct tweet. This is a huge and destructive supply chain. If updated automatically, these cyberattacks usually penetrate widely used Malware that is spread in the software.
Ransomware hits hundreds of US companies, security firm says https://t.co/ruOqcL2x7w
— The Boston Globe (@BostonGlobe) July 3, 2021
It is not clear how many customers may be affected by Kaseya or who they may be. In a statement on its website, Kaseya urged customers to shut down servers running vulnerable software immediately.
He said that Brett Callow, a ransomware expert at the cybersecurity company Emsisoft, said that the attack was limited to a “small amount,” He added that he was unaware of such large-scale ransomware attacks on the supply chain before.
According to him, there are others, but they are very trivial. However, this is SolarWinds with ransomware.
He refers to the Russian cyber hacking activity discovered in December last year, which spread through infection of network management software and penetrated US federal agencies and dozens of companies.
Rendition Infosec President Network Security researcher Jack Williams said he had worked with six companies affected by ransomware.
He added that it was no coincidence that this happened before the weekend of July 4, when IT professionals were generally in short supply.
“I do not doubt that the timing here was intentional,” said Hammond of Huntress, who knew that four hosting service providers (companies that host IT infrastructure for multiple customers) were attacked by ransomware, which used it to encrypt the network.
The victim pays the attacker. Moreover, he said that thousands of computers were attacked. “We currently have three Huntress partners who have been affected by approximately 200 crypto companies,” Hammond said.
Typical supply chain attack
Hammond wrote on Twitter: “From what we see now, we firmly believe that this is REvil/Sodinikibi.” The FBI reported the same ransomware company to JBS, the world’s largest meat processor, in May. Further, the SA attack is linked.
The Federal Infrastructure Security and Cyber Security Agency said in a statement on Friday that it is closely monitoring the situation and is working with the FBI to gather more information.
CISA urges anyone who may be affected to “shut down the VSA server immediately following Kasei’s instructions.” Also, Kaseya introduced the so-called virtual system manager or VSA for remote management and monitoring of customers’ networks.
However, the private company Kaseya is headquartered in Dublin, Ireland, and cooperates with the United States. The Miami Herald recently described it as “one of Miami’s oldest technology companies” in a report. The company plans to hire up to 500 people by 2022 to develop a newly acquired cybersecurity platform.
Brian Honan, an Irish cybersecurity consultant, said via email on Friday, “This is a typical supply chain attack. Criminals have compromised a trusted enterprise supplier and used this trust to attack their customers.”
Furthermore, he said that small businesses might have difficulty defending against these types of attacks because they “trust the security of the vendor and the software they use is the only good news,” said Williams of Rendition Infosec.
REvil – steal the target data
“Many of our customers do not install Kaseya on every machine on their network. It makes it difficult for attackers to break into the company’s computer systems. This makes a recovery easier,” he said. An organization called REvil has been active since April 2019, providing ransomware services.
This means that I have developed software that damages the Internet and leased it to the so-called affiliates who received most of the ransom. Network security company Palo Alt on the Network stated in a recent report that REvil is one of the ransomware groups that steal target data before activating the ransomware.
It has increased its ransomware efforts by approximately in the past year – $500,000. Some cybersecurity experts predict that the gang will be difficult to deal with.
Image courtesy of Kaspersky/YouTube