Suspected REvil gang ransomware attack hits at least 200 U.S. businesses – National – .

Suspected REvil gang ransomware attack hits at least 200 U.S. businesses – National – .

A ransomware attack crippled the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He said the criminals targeted a software vendor called Kaseya, using its network management package as a means to distribute the ransomware through cloud service providers. Other researchers agreed with Hammond’s assessment.

Read more:

World’s largest meat processor comes back online after Russia-linked cyberattack

“Kaseya runs from large businesses to small businesses all over the world, so ultimately (this) has the potential to expand to any size or scale of business,” Hammond said in a statement. direct message on Twitter. “This is a colossal and devastating attack on the supply chain. “

The story continues under the ad

Such cyber attacks usually infiltrate widely used software and spread malware when updating automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement posted on its website to immediately shut down servers running affected software. He said the attack was limited to a “small number” of his clients.

Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any ransomware supply chain attacks on this scale. There have been others, but they were quite minor, he said.

Cyber ​​attack at Humber River hospital causes gray code

Cyber ​​Attack at Humber River Hospital Causes Code Gray – June 18, 2021

“It’s SolarWinds with ransomware,” he said. He was referring to a Russian cyber espionage hacking campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of companies.

The story continues under the ad

Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he is already working with six companies affected by the ransomware. It is no coincidence that this happened before the weekend of July 4, when IT staff are generally tight, he added.

“There is no doubt in my mind that the timing here was intentional,” he said.

Hammond of Huntress said he was aware that four managed service providers – companies that host IT infrastructure for multiple clients – were affected by the ransomware, which encrypts networks until victims pay attackers. He said thousands of computers have been affected.

Read more:

The US government’s hack of SolarWinds was the biggest and “most sophisticated attack” of all time: Microsoft

“We currently have three Huntress partners who are impacted by about 200 businesses that have been encrypted,” Hammond said.

Hammond wrote on Twitter: “Based on everything we’re seeing right now, we strongly believe this is REvil / Sodinikibi. The FBI has linked the same ransomware vendor to an attack in May on JBS SA, a major global meat processor.

The Federal Agency for Cybersecurity and Infrastructure Security said in a statement Friday evening that it was closely monitoring the situation and working with the FBI to gather more information on its impact.

CISA urged anyone who may be affected to “follow Kaseya’s advice to immediately shut down the VSA servers”. Kaseya runs what is called a Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.

The story continues under the ad

US Recovers ‘Majority’ of Cryptocurrency Paid in Colonial Pipeline Ransomware Attack

US Recovers ‘Majority’ of Cryptocurrency Paid in Colonial Pipeline Ransomware Attack – June 7, 2021

Private company Kaseya says it is based in Dublin, Ireland, with a US headquarters in Miami. The Miami Herald recently described it as “one of Miami’s oldest tech companies” in a report on its intention to hire up to 500 workers by 2022 to staff a newly acquired cybersecurity platform.

Brian Honan, an Irish cybersecurity consultant, said by email on Friday that “this is a classic supply chain attack in which criminals have compromised a trusted company supplier and abused of this confidence to attack their customers ”.

He said it can be difficult for small businesses to defend themselves against this type of attack because they “rely on the security of their vendors and the software they use.”

The only good news, said Williams, of Rendition Infosec, is that “a lot of our customers don’t have Kaseya on every machine in their network,” making it harder for attackers to navigate their computer systems. an organization.

The story continues under the ad

Read more:

Microsoft says Russian group behind SolarWinds hack targets government agencies

It makes recovery easier, he said.

Active since April 2019, the group known as REvil provides ransomware-as-a-service, which means it develops the software crippling the network and leases it to so-called affiliates who infect targets and earn the lion’s share of the ransoms.

REvil is one of the ransomware gangs that steal data from targets before activating the ransomware, boosting their extortion efforts. The average ransom payment to the group was around half a million dollars last year, cybersecurity firm Palo Alto Networks said in a recent report.

Some cybersecurity experts predicted that it might be difficult for the gang to handle the ransom negotiations, given the large number of victims, although the long holiday weekend in the United States could give them more time to start working on the list.

© 2021 The Canadian Press


Please enter your comment!
Please enter your name here