A Russia-linked hacking group has compromised roughly 200 businesses in a large-scale ransomware attack that is ongoing, according to the cybersecurity firm Huntress Labs Inc.
The hackers targeted managed service providers, which often give IT support to small- to medium-size businesses, according to Huntress Labs. By targeting a managed service provider, or MSP, hackers may then be able to access and infiltrate its customers’ computer networks.
Two of the affected managed service providers include Synnex Corp. and Avtex LLC, according to two sources familiar with the breaches. Reached by telephone, Avtex president George Demou told Bloomberg News in a text message on Friday night that “Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack.”
“We are working with those customers who have been impacted to help them to recover,” he added.
A Synnex spokesperson did not immediately respond to requests for comment.
“From what we know now, we have eight MSP partners that are affected,” said John Hammond, a cybersecurity researcher at Huntress Labs. “Those MSPs customers add up to at least 200 businesses that are encrypted and ransomed as a result of their MSP being compromised.” He didn’t identify the managed service providers that were attacked.
Hammond said he expects the number of victims to “significantly rise” as more compromised managed service providers are discovered. The names of the MSP customers who were attacked aren’t yet known.
“This is one of the most broadly impactful, non-nation state executed, attacks we have ever seen and it appears purely designed to extract money,” said Andrew Howard, chief executive officer of Switzerland-based Kudelski Security, a provider of managed cybersecurity services. “It is difficult to image a better way for an attacker to distribute malware than through trusted IT providers.”
Jake Williams, chief technology officer at BreachQuest, said he’s already responded to multiple ransomware victims, including a school and a manufacturer. In those cases, ransom demands started at $45,000, he said.
In the past, ransomware groups often demand one bulk payment from a managed service provider, instead of attempting to collect payment from all of its clients. But in this case, it appears the REvil actors are encrypting hundreds of MSP clients and demanding payment from each one, Williams said.
“There’s no way the actors have the bandwidth handle each individual case at the same time,” said Williams. “If they keep going this way, this will take weeks to resolve.”
The attacks come a few weeks after a summit between President Joe Biden and Russian President Vladimir Putin in which Biden warned that 16 kinds of critical infrastructure were off limits for cyberattacks. Russian state-sponsored hackers were blamed for attacks against nine U.S. government agencies and about 100 businesses, which was disclosed in December and involved, in part, malicious updates in software from Texas-based SolarWinds Corp.
More recently, a ransomware attack on Colonial Pipeline Co., which squeezed gasoline supplies along the East Coast, was blamed on a Russian-linked criminal gang called DarkSide.
Cybersecurity researchers have pointed to Kaseya, which develops software used by managed service providers, as the potential root cause of the hack. Kaseya on Friday advised its customers to shut down its Virtual System Administrator software due to a potential attack.
“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,” Kaseya said in a statement.
The Cybersecurity and Infrastructure Security Agency acknowledged the hacks in a brief statement.
“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software,” the agency said.
The hacking group behind the attack is known as “REvil,” according to Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future Inc. Liska said this is the third time REvil has targeted Kaseya to conduct ransomware attacks. A representative for Kaseya wasn’t immediately available for comment.
REvil was also behind the ransomware attack on meat supplier JBS SA in May. The company said it ultimately paid $11 million in ransom.
Jason Ingalls, founder of the breach response company Ingalls Information Security, said attacks such as the MSP attack announced Friday are becoming more common.
“Hackers are infiltrating the most trusted source of software or security in a huge supply chain, and then compromising all of their clients,” he said. “This is the same attack method used in the SolarWinds hack, but now it’s being used by criminals to leverage their access to one victim to ransom many more.”
