Ransomware hits hundreds of US companies, security firm says

WASHINGTON (AP), A ransomware attack crippled at least 200 U.S. businesses' networks on Friday, according a cybersecurity researcher whose firm was responding to the incident.John Hammond, security consultant Huntress Labs, stated that the REvil gang, which is a major Russian-speaking ransomware network, appeared to be behind this attack. According to Hammond, the criminals targeted Kaseya Software as a supplier of software and used its network-management program to spread ransomware via cloud-service providers. Hammond was backed by other researchers.Kaseya manages large enterprises all the way down to small businesses worldwide, so (this) has the potential spread to any size or type of business, Hammond stated in a direct tweet. This is a devastating and colossal supply chain attack.These cyberattacks usually infiltrate software that is widely used and spread malware automatically.It wasn't immediately clear how many Kaseya customers may be affected, or even who they might be. Kaseya asked customers to close down affected servers immediately in a statement posted on its website. The attack was limited to a few customers, it said.Emsisoft cybersecurity expert Brett Callow said that he had never heard of a ransomware supply chain attack of this magnitude. He said that there have been other ransomware attacks, but they were minor.He said that this is SolarWinds running ransomware. This was in reference to the Russian cyberespionage hacking campaign that was discovered in December. It infected network management software, which allowed it to be used to infiltrate U.S. government agencies and scores upon corporations.Rendition Infosec president Jake Williams said that he had already been working with six companies affected by ransomware as a cybersecurity researcher. He added that it was no accident that the ransomware attack occurred before the Fourth-of- July weekend, when IT staff are generally scarce.He said that there is no doubt in my mind about the timing of this event.Continue the storyHammond of Huntress stated that he knew of four managed-services provider companies that hosted IT infrastructure for multiple clients being affected by ransomware. This encrypts networks and demands payment from attackers. He claimed that thousands of computers were affected.Hammond stated that Huntress currently has three Huntress partners, which are impacted by approximately 200 businesses that were encrypted."Hammond posted on Twitter: Based upon everything we are seeing, we strongly believe that this (is) REvil/Sodinikibi.Late Friday, the federal Cybersecurity and Infrastructure Security Agency stated in a statement that it was closely monitoring the situation and working together with the FBI to gather more information about its effects.CISA asked anyone affected by Kaseya's directive to immediately shut down VSA servers.Kaseya, a privately owned company, claims it is based out of Dublin, Ireland with a U.S. head office in Miami. The Miami Herald recently called it one of Miami's oldest tech companies. It recently reported on its plans to hire 500 workers by 2022 in order to staff a newly acquired cybersecurity platform.Brian Honan, a cybersecurity consultant from Ireland, stated by email Friday that it is a classic supply-chain attack in which criminals have compromised trusted suppliers of companies and have used that trust to attack customers.He stated that it is difficult for small businesses to defend themselves against such attacks because they rely heavily on the security of suppliers and software.Williams of Rendition Infosec said that the only positive news is that not all customers have Kaseya installed on every machine within their network. This makes it more difficult for attackers to access an organization's computer systems.He said that this makes it easier to recover.Active since April 2019, REvil is ransomware as-a-service. This means that it creates network-paralyzing software, and leases it out to affiliates. These affiliates infect targets and make the largest share of ransoms.REvil is one of the ransomware gangs that extort data from their targets and activate ransomware. According to a Palo Alto Networks cybersecurity report, the average ransom paid to the group was approximately half a million dollars.Cybersecurity experts believe that the ransom negotiations might prove difficult for the gang due to the large number victims. However, the extended U.S holiday weekend may give them more time to begin working through the list.___Bajak reported in Boston, O'Brien from Providence, Rhode Island.