1,500 businesses were targeted on Friday, July 2, in what cybersecurity experts are calling the largest ransomware attack in history. Hackers utilized global software supplier Kaseya to spread their ransomware to a larger number of targets.
"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," security expert John Hammond of Huntress Labs, also quoted above, told NPR. "This is a colossal and devastating supply chain attack."
Kaseya uses a virtual system administrator (VSA) to access, monitor, and manage clients' networks remotely. Among those targeted were defense contractors, federal entities, legal firms, finance and healthcare companies, and more.
According to statements from Kaseya, patches to the VSA are currently being released.
July 2nd's cyberattack was reportedly connected to a ransomware group involved in an attack on the world's largest meat company, JBS USA, in May of this year. REvil, also known as Sodinokibi, is a ransomware supplier which uses paid affiliates to actually distribute the infections to the targets before collecting on the ransoms themselves.
According to the Federal Bureau of Investigation (FBI), as of 2020, REvil's average ransom payment was $508,523. The hacker gang reportedly targets everything from retail and legal services to manufacturing and construction. Targets have been located in the U.S., Canada, Australia, Hong Kong, and Finland.
Huntress Labs CEO told CNBC's Squawk Box that while REvil's claim that their attack impacted one million businesses is overblown, he suspected up to 2,000 companies may have been targeted.
The date of the attack wasn't happenstance. Hackers reportedly have a tendency to prefer carrying out attacks just before a holiday weekend in order to ensure that IT and cybersecurity departments are as thinly staffed as possible.
The attack is under investigation by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the FBI.
CISA warns any businesses that were attacked to "follow Kaseya's guidance to shut down VSA servers immediately." Small businesses that usually rely on their software providers, like Kaseya, to make sure they're protected may have a particularly difficult time defending themselves.
According to the Dutch Institute for Vulnerability Disclosure (DIVD), an entity aimed at making "the digital world safer by reporting vulnerabilities...to the people who can fix them", DIVD warned Kaseya regarding the risk to their system this spring.
"When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands...we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do." DIVD wrote in a statement on their discoveries. "Kaseya's response to our disclosure has been on point and timely; unlike other vendors."
However, despite Kaseya's cooperation, repairs take time, and the software supplier ran out of time on July 2.
"We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kaseya VSA," DIVD continued.
In the meantime, according to John Hammond of Huntress Labs, REvil hackers have been celebrating on their so-called "Happy Blog" where they post about successful ransom payments, suggesting that at least some of the businesses paid up. However, some cybersecurity experts suspected that REvil might struggle to handle such a large number of targets.