John Hammond, security consultant Huntress Labs, stated that the REvil gang, which is a major Russian-speaking ransomware network, appeared to be behind this attack. According to Hammond, the criminals targeted Kaseya Software as a supplier of software and used its network-management program to spread ransomware via cloud-service providers. Hammond was backed by other researchers.
Hammond stated in a tweet that "Kaseya manages large enterprise all the while small businesses worldwide, so ultimately (this) has potential to spread to any scale or business size," Hammond wrote. "This is a devastating and colossal supply chain attack."
These cyberattacks usually infiltrate software that is widely used and spread malware automatically.
It wasn't immediately clear how many Kaseya customers were affected, or their identities. In a statement posted on its website, Kaseya asked customers to immediately close down affected servers. According to Kaseya, the attack was limited only to a small number of customers.
Emsisoft cybersecurity expert Brett Callow said that he had never heard of a ransomware supply chain attack on such a scale. He said that there have been other ransomware attacks, but they were minor.
He said, "This is SolarWinds with ransomware." This was in reference to the Russian cyberespionage hacking campaign that was discovered in December. It infected network management software to penetrate U.S. federal agencies as well as scores of corporations.
Rendition Infosec president Jake Williams said that he had already been working with six companies affected by ransomware as a cybersecurity researcher. He added that it was no accident that the ransomware attack occurred before the Fourth-of- July weekend, when IT staff are generally scarce.
He stated, "There is no doubt in my mind that this timing was intentional."
Hammond of Huntress claimed he knew of four managed-services companies hosting IT infrastructure for multiple clients that were affected by ransomware. This ransomware encrypts networks and demands payment from attackers. He claimed that thousands of computers were affected.
Hammond stated that Huntress partners are currently impacted by approximately 200 businesses that have been encoded.
Hammond posted on Twitter: "Based upon everything we are seeing right at the moment, we strongly believe that this (is) REvil/Sodinikibi." In May, FBI investigators linked the ransomware provider to an attack on JBS SA in Johannesburg, a major global meat processor.
Late Friday, the federal Cybersecurity and Infrastructure Security Agency stated in a statement that it was closely monitoring the situation and working together with the FBI to gather more information about its effects.
CISA advised anyone affected by the shutdown of VSA servers to follow Kaseya’s instructions.
Kaseya, a privately owned company, claims it is based out of Dublin, Ireland with a U.S. head office in Miami. The Miami Herald recently called it "one of Miami’s oldest tech companies" when it reported on its plans to hire 500 workers by 2022 in order to staff the newly acquired cybersecurity platform.
Brian Honan, a cybersecurity consultant from Ireland, stated by email Friday that this was a classic supply chain attack in which criminals have compromised trusted suppliers of companies and abused that trust for their customers.
He stated that it is difficult for small businesses to defend themselves against such attacks because they "rely upon the security of their suppliers" and the software these suppliers use.
Williams of Rendition Infosec said that the only positive news is that not all customers have Kaseya installed on every machine within their network. This makes it more difficult for attackers to access an organization's computers.
He said that this makes it easier to recover.
Active since April 2019, REvil is ransomware as-a-service. This means that it creates network-paralyzing software, and leases it out to affiliates. These affiliates infect targets and make the largest share of ransoms.
REvil is one of the ransomware gangs that extort data from their targets and activate ransomware. According to a Palo Alto Networks cybersecurity report, the average ransom paid to the group was approximately half a million dollars.
Cybersecurity experts believe that the ransom negotiations might prove difficult for the gang due to the large number victims. However, the extended U.S holiday weekend may give them more time to begin working through the list.