US cyber officials are tracking a major new ransomware attack by the same group that hit meat supplier JBS Foods this spring.
This time, the REvil malware hit a wide range of IT management companies and compromised hundreds of their corporate clients.
The cybercriminal gang, which is believed to operate out of Eastern Europe or Russia, targeted a key software vendor known as Kaseya, whose products are widely used by IT management companies, cybersecurity experts said.
On Saturday, President Joe Biden said that the US government is not certain who is behind the attack, but he has directed federal agencies to assist in the response.
“The fact is that I directed the intelligence community to give me a deep dive on what’s happened and I’ll know better tomorrow. And if it is either with the knowledge of and/or the consequence of Russia, then I told Putin we will respond,” Biden said, referring to his meeting with the Russian leader last month.
“We’re not certain. The initial thinking it was not the Russian government but we’re not sure yet,” he added.
This latest ransomware attack has already knocked out at least a dozen IT support firms that rely on Kaseya’s remote management tool called VSA, said Kyle Hanslovan, CEO of the cybersecurity firm Huntress Labs.
In at least one case, Hanslovan said, the attackers demanded a ransom of $5 million.
The incident not only affects the IT management companies, but also those companies’ corporate clients that have outsourced IT management to them, Hanslovan said. He estimated that as many as 1,000 small-to-medium sized businesses may be affected by the hack.
“This is very new, and we don’t know the scale yet,” Hanslovan said.
In recent months, cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the US economy. A high-profile attack against Colonial Pipeline in May disrupted fuel shipments to gas stations all along the east coast, prompting widespread panic buying. The JBS cyberattack led to a temporary shutdown of all nine of its US beef processing plants.
The latest, rapidly unfolding attack prompted alarm among cybersecurity experts.
“If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate (incident response),” tweeted Christopher Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In its own advisory, CISA said it is working to understand and address the issue.
In a blog post, Kaseya said it has shut down its cloud servers as it investigates the VSA incident.
“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of an abundance of caution.”
An analysis of the malicious software by the cybersecurity firm Emsisoft shows that it was created by REvil, the ransomware gang that US officials have said compromised JBS Foods.
Meanwhile, three of the compromised IT service providers are among Huntress Labs’ own cybersecurity clients, Hanslovan said.
“We have direct knowledge of it now and we have confirmed it is indeed REvil,” Hanslovan said.
As many as 200 of the three affected IT service providers’ customers have been compromised by the malware, Hanslovan said.
The ransomware appears to have been secretly embedded in Kaseya VSA, which helped spread the malicious software because VSA is used by IT management firms to distribute software updates to their customers, Hanslovan said. It is unclear how Kaseya’s software was first compromised.
This supply chain-style attack is similar to the tactic used by Russian hackers in the SolarWinds compromise, though in this case the malicious software was used to hijack victim networks rather than to spy on them.
CNN’s Jason Hoffman contributed to this report.