American businesses have been hit by a ransomware attack in the last few hours. The cybercriminal gang, which is believed to operate out of Eastern Europe or Russia, targeted a key software vendor known as Kaseya. Kaseya’s product- VSA, is a widely used tool to reach into corporate networks across the United States. The incident not only affects the IT management company, but also those companies’ corporate clients that have outsourced IT management to them. Kaseya has 40,000 customers for its products, though not all use the affected tool. It was reported by US cyber officials that this new major ransomware attack was by the same group responsible for the meat supplier JBS Foods cyberattack this spring.
Kaseya in a statement on the website confirmed the VSA tool that offers to monitor and manage servers, desktops, network devices and printers has been attacked. The ransomware appears to have been secretly embedded in Kaseya VSA, which helped spread the malicious software because VSA is used by IT management firms to distribute software updates to their customers. “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of an abundance of caution.”
In recent times, organizations that play critical roles to the US economy has increasingly been the target by cybercriminals. Incidents of ransomware attacks have exploded, aided by ease of payment cryptocurrency and an increasing rate of working from home making computers more vulnerable. Earlier in May, a high-profile attack against Colonial Pipeline disrupted fuel shipments to gas stations all along the east coast, prompting widespread panic buying. Also in the month of June, the JBS cyberattack led to a temporary shutdown of all nine of its US beef processing plants. This attacks have continued to increase and become a major source of concern. Kyle Hanslovan, CEO of the cybersecurity firm Huntress Labs recalled at least one case of the cyberattack. Hanslovan said the attackers demanded a ransom of $5 million. The latest, rapidly unfolding cyberattack has prompted alarm among cybersecurity experts within the country.
Former Director of Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Christopher Krebs in a tweet advised, “If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate. Kayesa through a blog post has also communicated that it has shut down its cloud servers as it investigates the VSA incident. “We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of an abundance of caution.” Its estimated that as many as 1,000 small-to-medium sized businesses may be affected by this sudden hack.
An analysis of the malicious software by the cybersecurity firm Emsisoft shows that it was created by REvil. “We have direct knowledge of it now and we have confirmed it is indeed REvil,” Hanslovan said. The ransomware appears to have been secretly embedded in Kaseya VSA, which helped spread the malicious software because VSA is used by IT management firms to distribute software updates to their customers, Hanslovan said. It is unclear how Kaseya’s software was first compromised, however investigations are ongoing to uncover flaws.