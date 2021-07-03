



By FRANK BAJAK, ERIC TUCKER and MATT OBRIEN, Associated Press

WASHINGTON – A ransomware attack crippled the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He said the criminals targeted a software vendor called Kaseya, using its network management package as a means to distribute the ransomware through cloud service providers. Other researchers agreed with Hammonds’ assessment.

Kaseya runs from large businesses to small businesses around the world, so ultimately (this) has the potential to expand to any business of size or scale, Hammond said in a direct message. on Twitter. This is a colossal and devastating attack on the supply chain.

Such cyber attacks usually infiltrate widely used software and spread malware when updating automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement posted on its website to immediately shut down servers running affected software. He said the attack was limited to a small number of his clients.

Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any ransomware supply chain attacks on this scale. There have been others, but they were quite minor, he said.

This is SolarWinds with ransomware, he said. He was referring to a Russian cyber espionage hacking campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of companies.

Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he is already working with six companies affected by the ransomware. It is no coincidence that this happened before the weekend of July 4, when IT staff are usually limited, he added.

There is no doubt in my mind that the timing here was intentional, he said.

Hammond of Huntress said he is aware of four managed service providers – companies that host IT infrastructure for multiple clients that are affected by ransomware, which encrypts networks until victims pay attackers. He said thousands of computers have been affected.

We currently have three Huntress partners who are affected by about 200 businesses that have been encrypted, Hammond said.

Hammond wrote on Twitter: Based on everything we’re seeing right now, we strongly believe this (is) REvil / Sodinikibi. The FBI has linked the same ransomware vendor to an attack in May on JBS SA, a major global meat processor.

The Federal Agency for Cybersecurity and Infrastructure Security said in a statement Friday evening that it was closely monitoring the situation and working with the FBI to gather more information on its impact.

CISA urged anyone who may be affected to follow Kaseyas’ instructions to immediately shut down the VSA servers. Kaseya runs what is called a Virtual System Administrator, or VSA, which is used to remotely manage and monitor a customer’s network.

Private company Kaseya says it is based in Dublin, Ireland, with a US headquarters in Miami. The Miami Herald recently described it as one of Miami’s oldest tech companies in a report on its intention to hire up to 500 workers by 2022 to staff a newly acquired cybersecurity platform.

