Ransomware attack on Kaseya, a software firm, threatens businesses worldwide

It's the latest massive ransomware exploit, as concerns over such attacks have skyrocketed.

Edward Moyer Senior Editor
Ed is a many-year veteran of the writing and editing world who enjoys taking sentences apart and putting them back together. He also likes making them from scratch. For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Edward Moyer
4 min read
Privacy and security on the internet
James Martin/CNET

Following recent ransomware attacks that took down a major gas pipeline and a major meat processor in the US, a new assault has surfaced, this time hitting a Miami-based company that provides tech-management tools to customers worldwide.

Hundreds of companies, including a railway, pharmacy chain and grocery chain in Sweden, were directly hit by the supply-chain attack on software company Kaseya, which has continually posted alerts to its site since Friday. But even more companies -- at least 36,000 -- were indirectly affected by the attack because Kaseya advised all its customers to take their servers offline Friday and has not yet given them the go-ahead to go back online.

On Sunday afternoon, Kaseya announced that it will attempt to start putting servers back online overnight in the UK, Europe and Asia and then do the same in North America on Monday afternoon.

Kaseya released a compromise detection tool on Saturday night to nearly 900 customers that requested it, the company said Sunday morning in an alert. Kaseya noted Sunday it had received no new reports of compromise since Saturday. The company is working with both the FBI and the US Cybersecurity and Infrastructure Agency to investigate the attack.

"We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis)," the company noted Sunday morning, referring to the Software as a Service server farms.

The attack involves a Kaseya product called VSA, which among other things lets small and medium-size businesses remotely monitor their computer systems and automatically take care of routine server maintenance and security updates. 

"We're actually 100% confident that we know how it happened, and we've remediated it," Kaseya CEO Fred Voccola told Good Morning America early Sunday.

REvil, the Russia-linked hacking group behind the attack on meat processor JBS, is linked to the Kaseya attack, The Wall Street Journal reported. Security firms Huntress Labs and Sophos Labs have likewise pointed to REvil.

Fewer than 40 customers were directly hit by the cyberattack, Voccola told The New York Times, but some of those companies are managed service providers that supply IT tools to hundreds of businesses. The Times said one of Sweden's largest grocery chains, Coop, had to close at least 800 of its stores due to the attack. 

Some of the victims received demands for $5 million in ransom, the Times reported.

"We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links -- they may be weaponized," Kaseya said Saturday in an alert.

Ransomware attacks, where hackers breach systems and hold networks and data for ransom, have become an increasingly alarming phenomenon. In June, JBS, one of the biggest meat producers in the US, paid an $11 million ransom for an attack that temporarily knocked out its processing plants. And in May, Colonial Pipeline revealed it had to shut down the main pipeline carrying gas to the densely populated East Coast due to an attack. Colonial paid the hackers a $4.4 million ransom, though the Department of Justice later said it had recovered part of the payment

Apart from the financial impact, such attacks, which have also hit hospitals, banks and city governments, have raised concern about the vulnerability of critical infrastructure. Shortly after the Colonial Pipeline attack became public, President Joe Biden signed an executive order aimed at improving US cybersecurity defenses. The Biden administration also said it planned to launch a task force aimed at cracking down on hackers who use ransomware.

And in Biden's summit last month with Russian President Vladimir Putin, one of the main topics of discussion was cyberattacks on critical infrastructure, whether launched by nation-states or hacking gangs within their boundaries. 

Biden has directed intelligence agencies to look into the matter, Reuters reported.

"The initial thinking was it was not the Russian government but we're not sure yet," Biden told reporters Saturday. "If it is either with the knowledge of and/or a consequence of Russia then I told Putin we will respond," Biden said, referring to the June summit. Biden said he would be briefed on the Kaseya attack Sunday.

On Sunday afternoon, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in a statement that Biden has "directed the full resources of the government to investigate this incident." The statement didn't offer an assessment on the source of the attack.

The Russian Embassy in Washington didn't respond to a request for comment.

Asked for additional information on the attack, Kaseya said it's sharing its latest updates on its website and via social media. The FBI asked that victims report the attack to its Internet Crime Complaint Center. The FBI and the US Cybersecurity and Infrastructure Agency also jointly released a detailed list of actions that Kaseya customers should take, including those related to multi-factor authentication, remote monitoring and management, virtual private networks and manual patch management. The joint statement didn't include their own assessment of the source of the attack but did link to sites that are specifically pointing to REvil.

CNET's Natalie Weinstein contributed to this report.