A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network management package as a conduit to spread the ransomware through cloud service providers. Other researchers agreed with Hammond's assessment.
"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," Hammond said in a direct message on Twitter. "This is a colossal and devastating supply chain attack." Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.
It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a "small number" of its customers.
Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.
"This is SolarWinds with ransomware," he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.
"There's zero doubt in my mind that the timing here was intentional," he said.
Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.
"We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted," Hammond said.
Hammond wrote on Twitter: "Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi." The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.
The White House and the federal Cybersecurity and Infrastructure Security Agency did not immediately return messages seeking comment.
Q&A: What are the dangers of ransomware attacks?
How big a problem is ransomware?
These hacks shouldn't surprise anyone, said Bruce Schneier, a cybersecurity expert and lecturer at Harvard University's Kennedy School of Government.
"This happens hundreds of times a day," Schneier said. "These hackers, this time, just happened to land a big fish."
A task force of more than 60 experts from industry, government and nonprofits issued a report last month that called ransomware "a flourishing criminal industry that not only risks the personal and financial security of individuals, but also threatens national security and human life."
The report, published by the nonprofit Institute for Security and Technology, estimated that nearly 2,400 governments, healthcare facilities and schools were victims of ransomware attacks last year. Ransom payments rose to $350 million last year, a 300% increase over 2019, the report said. The average such payment topped $300,000.
The problem is growing, experts said. A cyber insurance firm told the task force that it tallied a 260% increase in ransomware attacks of its policy holders. A cybersecurity firm estimated that ransomware hacks spiked 700% in 2020 over 2019.
Christopher Krebs, the former head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, testified before congress last week that "we are on the cusp of a global digital pandemic, driven by greed, a vulnerable digital ecosystem in an ever-widening criminal enterprise."
Why are ransomware attacks on the rise?
Cybersecurity experts say two trends are behind the increase in ransomware assaults. The first, they said, was the growth of difficult-to-trace cryptocurrency, which has allowed hackers to easily obtain large ransom payments under the nose of financial regulators.
Meanwhile, they said, foreign governments have recognized the value in allowing hackers to operate inside their borders. Such hackers pay bribes to officials and agree to only target victims overseas. Russian operatives, in particular, believe such hackers help advance their foreign policy goals by causing trouble for adversaries, according to law enforcement officials and cybersecurity experts.
Who targeted Colonial Pipeline?
The FBI attributed an earlier Colonial Pipeline attack to DarkSide ransomware, which is produced by an eponymous criminal organization that U.S. officials and cybersecurity experts say operates in Eastern Europe or Russia.
DarkSide is a "ransomware-as-a-service" business that relies on selling malware to hackers who then launch attacks and share proceeds with the developers, according to U.S. officials and cybersecurity experts.
The group's malware packs a dual punch: It not only locks networks but also siphons data. This kind of attack is effective even if a company or government backed up its information to mitigate the damage from ransomware because hackers can still threaten to release the data they are holding publicly or to competitors.
Cybereason, a Boston-based cybersecurity firm, reported that DarkSide's approach "effectively renders the strategy of backing up data as a precaution against a ransomware attack moot."
In a statement obtained by multiple media organizations, DarkSide said its "goal is to make money, and not creating problems for society."
The U.S. government is taking steps to address the ransomware threat. The Justice Department last month formed a task force to combat ransomware, and the Biden administration says it is formulating a plan to tackle the problem.
Cybersecurity experts said they expect high-profile hacks like the one on Colonial Pipeline to prod potential victims to heighten security, create backups of data and come up with effective response plans.
"This problem will be greatly reduced over the next year because there is so much attention being paid to it," predicted Lewis, the cybersecurity expert at the Center for Strategic and International Studies.
Other experts are not so sanguine, saying hackers have proved adept at devising new ways to overcome cyberdefenses.
(Times staff writer Eli Stokols contributed to this report.
©2021 Los Angeles Times. Visit at latimes.com. Distributed by Tribune Content Agency, LLC.
Bajak reported from Boston; O'Brien contributed from Providence, Rhode Island.