Hundreds of American businesses have been hit by a ransomware attack ahead of the Fourth of July holiday weekend, according to the cybersecurity company Huntress Labs. Huntress Labs said on Friday that 200 American businesses were hit after an incident at the Miami-based IT firm Kaseya, potentially marking the latest in a line of hacks destabilizing US companies. “This is a colossal and devastating supply chain attack,” John Hammond, a senior security researcher with Huntress, said in an email, referring to an increasingly high profile hacker technique of hijacking one piece of software to compromise hundreds or thousands of users at a time.
Hammond added that because Kaseya is plugged into everything from large enterprises to small companies “it has the potential to spread to any size or scale business.” Kaseya, in a statement posted on its own website, said it was investigating a “potential attack” on VSA, a widely used tool to reach into corporate networks across the United States.
In the statement, Kaseya said the tool offers to monitor and manage servers, desktops, network devices, and printers and that it may have been attacked. Such an attack can be particularly insidious to address, said Chris Grove, a security expert at the cybersecurity firm Nozomi Networks.
“Once a breach happens, the victim would generally reach for these tools to work their way out of a bad situation, but when the tool itself is the problem or is unavailable, it adds complexity to the recovery efforts,” he said. After the incident, Kaseya said, “a small number of on-premise customers” had potentially been affected. The company said it had shut down some of its infrastructures and was urging customers that used the tool on their premises to immediately turn off their servers. Reached with a request for comment, Kaseya referred the Guardian to the statement on its website.
Huntress said it believed the Russia-linked REvil ransomware gang – the same group of actors blamed by the FBI for paralyzing meatpacker JBS last month – was behind the latest ransomware outbreak. An email sent by Reuters to the hackers seeking comment was not immediately returned. In a statement, the US Cybersecurity and Infrastructure Security Agency said it was “taking action to understand and address the recent supply-chain ransomware attack” against Kaseya’s VSA product. Supply chain attacks have crept to the top of the cybersecurity agenda after hackers alleged to be operating at the Russian government’s direction tampered with a network monitoring tool built by Texas software firm SolarWinds. Incidents of ransomware attacks have exploded in the past year, aided by the ease of payment with the rise of cryptocurrency and an increase in working from home making computers more vulnerable. Kaseya has 40,000 customers for its products, though not all use the affected tool.