(Bloomberg) – A Russian-linked hacking group has compromised around 200 companies in an ongoing large-scale ransomware attack, according to cybersecurity firm Huntress Labs Inc.
The hackers were targeting managed service providers, which often provide IT support to small and medium-sized businesses, according to Huntress Labs. By targeting a Managed Service Provider, or MSP, hackers can then gain access to and infiltrate its customers’ computer networks.
Two of the affected managed service providers are Synnex Corp. and Avtex LLC, according to two sources familiar with the violations. Reached by phone, Avtex chairman George Demou told Bloomberg News in a text message Friday night that “hundreds of PSMs have been affected by what appears to be a global supply chain hack.”
“We are working with customers who have been affected to help them recover,” he added.
A Synnex spokesperson did not immediately respond to requests for comment.
“From what we know now, we have eight MSP partners that are involved,” said John Hammond, cybersecurity researcher at Huntress Labs. “These MSP customers total at least 200 companies that are encrypted and held to ransom due to the compromise of their MSP.” It did not identify the managed service providers that were attacked.
Hammond said he expects the number of victims to “increase dramatically” as more compromised managed service providers are discovered. The names of the MSP clients that were attacked are not yet known.
“This is one of the most impactful attacks executed by a non-nation state that we have ever seen and it seems purely designed to extract money,” said Andrew Howard, chief executive of Kudelski Security, a Swiss provider of managed cybersecurity. services. “It’s hard to imagine a better way for an attacker to distribute malware than through trusted IT vendors. “
Jake Williams, chief technology officer at BreachQuest, said he has already responded to several ransomware victims, including a school and a manufacturer. In those cases, ransom demands started at $ 45,000, he said.
In the past, ransomware groups often demanded a bulk payment from a managed service provider, instead of trying to collect payment from all of their customers. But in this case, it looks like the REvil players are encrypting hundreds of MSP customers and demanding payment from each, Williams said.
“There’s no way actors have the bandwidth to handle each individual case at the same time,” Williams said. “If they continue this way, it will take weeks to resolve.”
The attacks come weeks after a summit between President Joe Biden and Russian President Vladimir Putin in which Biden warned that 16 types of critical infrastructure were banned for cyber attacks. Russian state-sponsored hackers have been accused of attacks on nine U.S. government agencies and around 100 companies, which were disclosed in December and involved, in part, malicious updates to software from SolarWinds Corp, based in Texas.
More recently, a ransomware attack on Colonial Pipeline Co., which reduced the supply of gasoline along the east coast, was blamed on a Russian-linked criminal gang called DarkSide.
Cyber security researchers have indicated that Kaseya, which develops software used by managed service providers, is the potential cause of the hack. Kaseya advised its customers on Friday to shut down its Virtual System Administrator software due to a potential attack.
“We are very cautiously investigating the root cause of the incident, but we recommend that you IMMEDIATELY shut down your VSA server until you receive further notification from us,” Kaseya said. in a press release.
The Cybersecurity and Infrastructure Security Agency acknowledged the hacks in a brief statement.
“CISA is taking action to understand and resolve the recent supply chain ransomware attack against Kaseya VSA and the multiple Managed Service Providers (MSPs) that use VSA software,” the agency said.
The hacking group behind the attack is known as “REvil,” according to Allan Liska, senior threat analyst at cybersecurity firm Recorded Future Inc. Liska said it was the third time that REvil targeted Kaseya to carry out ransomware attacks. A representative from Kaseya was not immediately available for comment.
REvil was also behind the ransomware attack on meat supplier JBS SA in May. The company said it ultimately paid $ 11 million in ransom.
Jason Ingalls, founder of breach response firm Ingalls Information Security, said attacks such as the MSP attack announced on Friday are increasingly common.
“Hackers infiltrate the most trusted source of software or security in a huge supply chain and then compromise all of their customers,” he said. “This is the same attack method used in the SolarWinds hack, but it is now used by criminals to take advantage of their access to one victim to ransom many others.
(Updates with comments on victims, in sixth paragraph.)
More stories like this are available at bloomberg.com
Subscribe now to stay ahead with the most trusted source of business information.
© 2021 Bloomberg LP