Washington DC: American cyber officials are now tracking a major new ransomware attack in the United States that is believed to be operated from Eastern Europe or Russia.
The CNN reported that a major new ransomware attack by the same group that hit meat supplier JBS Foods this spring is being tracked by the US cyber officials. This time, the REvil malware has hit a wide range of IT management companies and compromised hundreds of their corporate clients.
The cybercriminal gang, which is believed to operate out of Eastern Europe or Russia, targeted a key software vendor known as Kaseya, whose products are widely used by IT management companies, cybersecurity experts said.
This latest ransomware attack has already knocked out at least a dozen IT support firms that rely on Kaseya’s remote management tool called VSA, said Kyle Hanslovan, CEO of the cybersecurity firm Huntress Labs. In at least one case, Hanslovan said, the attackers demanded a ransom of 5 million dollars.
“This is only three and a half hours old, so this is very new, and we don’t know the scale yet,” Hanslovan said.
Cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the US economy in the past several months.
A high-profile attack against Colonial Pipeline in May disrupted fuel shipments to gas stations all along the east coast, prompting widespread panic buying.
The JBS cyberattack led to a temporary shutdown of all nine of its US beef processing plants. The latest, rapidly unfolding attack prompted alarm among cybersecurity experts.
“If you use Kaseya VSA, shut it down *now* until told to reactivate and initiate [incident response],” tweeted Christopher Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In its own advisory, CISA said it is working to understand and address the issue.
In a blog post, Kaseya said it has shut down its cloud servers as it investigates the VSA incident.
“We are investigating a potential attack against the VSA that indicates to have been limited to a small number of our on-premises customers only,” Kaseya said. “We have proactively shut down our SaaS servers out of an abundance of caution.”
An analysis of the malicious software by the cybersecurity firm Emsisoft shows that it was created by REvil, the ransomware gang that US officials have said compromised JBS Foods.
Meanwhile, three of the compromised IT service providers are among Huntress Labs’ own cybersecurity clients, Hanslovan said.
“We have direct knowledge of it now and we have confirmed it is indeed REvil,” Hanslovan said, reported by CNN.
As many as 200 of the three affected IT service providers’ customers have been compromised by the malware, Hanslovan said.
This supply chain-style attack is similar to the tactic used by Russian hackers in the SolarWinds compromise, though in this case the malicious software was used to hijack victim networks rather than to spy on them.