The attackers changed a Kaseya tool called VSA, used by companies
that manage technology at smaller businesses. They then encrypted the files of
those providers' customers simultaneously.
Security firm Huntress said it was tracking eight managed
service providers that had been used to infect some 200 clients.
Kaseya said on its own website that it was investigating a
"potential attack" on VSA, which is used by IT professionals to
manage servers, desktops, network devices, and printers.
It said it shut down some of its infrastructure in response
and that it was urging customers that used VSA on their premises to immediately
turn off their servers.
"This is a colossal and devastating supply chain
attack," Huntress senior security researcher John Hammond said in an
email, referring to an increasingly high profile hacker technique of hijacking
one piece of software to compromise hundreds or thousands of users at a time.
Hammond added that because Kaseya is plugged in to
everything from large enterprises to small companies "it has the potential
to spread to any size or scale business." Many managed service providers
use VSA, although their customers may not realise it, experts said.
Some employees at service providers said on discussion
boards that their clients had been hit before they could get a warning to them.
Reuters was not able to reach a Kaseya representative for
further comment. Huntress said it believed the Russia-linked REvil ransomware
gang - the same group of actors blamed by the FBI for paralysing meat packer
JBS last month - was to blame for the latest ransomware outbreak.
Demands for ransom
A private security executive working on the response effort
said that ransom demands accompanying the encryption ranged from a few thousand
dollars to $5 million or more.
The corruption of an update process shows a marked
escalation in sophistication from most ransomware attacks, which take advantage
of security loopholes such as common passwords without two-factor
authentication.
An email sent to the hackers seeking comment was not
immediately returned. In a statement, the US Cybersecurity and Infrastructure
Security Agency said it was "taking action to understand and address the
recent supply-chain ransomware attack" against Kaseya's VSA product.
Supply chain attacks have crept to the top of the
cybersecurity agenda after the United States accused hackers of operating at
the Russian government's direction and tampering with a network monitoring tool
built by Texas software firm SolarWinds.
Kaseya has 40,000 customers for its products, though not all
use the affected tool.
© Reuters