Monday, July 5, 2021
On Friday, a ransomware attack which initially targeted software company Kaseya spread to over 200 companies in the US through Kaseya’s network management software. Huntress Labs, a cybersecurity company, alleged the attack was carried out by REvil, a Russia-based ransomware group. Kaseya told its customers to stop using its services when it learned of the attack.
According to NBC News, the ransomware first spread to about 40 of Kaseya’s customers, which are mainly companies that manage Internet services for their customers, some of which manage them for thousands of companies. John Hammond, a security researcher at Huntress Labs, said that “It’s reasonable to think this could potentially be impacting thousands of small businesses”. Kaseya notified its customers of the attack on Friday afternoon and warned them to stop using its services immediately.
Business Insider reported REvil is a Russian-based organization which provides ransomware-as-a-service. BleepingComputer reported receiving a sample of the ransomware used in REvil’s attacks and says that they demand USD five million for the ransomed files to be decrypted, though it is unknown if every victim received a demand for that same amount. Fabian Wosar, Chief Technical Offier (CTO) at the Emsisoft security firm, said affected customers had received demands for USD 44,999.
Swedish grocery chain Coop was also affected by the attack, and had to close all 800 of its stores because its checkout tills could not process payments due to the ransomware. Speaking to Swedish Television, Therese Knapp, a Coop spokesperson, said “We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today”. Swedish company Visma Esscom, which manages servers for businesses, was using Kaseya software, according to Reuters. Railway services in Sweden were also disrupted.
On Saturday, US President Joe Biden directed intelligence agencies to investigate who was behind the attack. He said that “we’re not certain” who is behind the attack, adding “[t]he initial thinking was it was not the Russian government but we’re not sure yet”. The US Cybersecurity and Infrastructure Security Agency stated that it is “taking action to understand and address the recent supply-chain ransomware attack”.