International software supplier Kaseya was the latest company hit with a “sophisticated cyberattack,” the company announced Saturday. The breach may have compromised thousands of companies.
Kaseya first reported a security threat targeting its “VSA product” Friday afternoon and said in an update Saturday that the issue had been localized. Hackers encrypted customer files and demanded money in order to decrypt them.
The company said Friday that “only a very small percentage” of customers were affected by the attack, estimating a total of 40 worldwide. “We’ve heard from the vast majority of our customers that they experienced no issues at all,” Fred Voccola, the company’s CEO, stated.
However, the definitive number of victims affected by the attack is unclear due to a ripple effect of managed service providers (MSP), who have their own clients, that may have been affected as well. Cybersecurity researcher John Hammond of Huntress Labs told CBS News that roughly 20 providers have been compromised in the attack.
“While Kaseya said that the attack has been localized to a small number of on-premises customers, that doesn’t represent the full effect of the secondary organizations that are supported by those compromised MSPs,” Hammond said. “At the moment we can confidently say at least 1,000 or more small businesses or organizations are compromised.”
He noted that the Swedish supermarket chain Coop has closed 800 locations due to software provider compromises as an indirect result from the cyberattack, according to BBC News.
Hammond said that he believes REvil — the Russian-speaking ransomware group responsible forthe world’s largest meat processing company earlier this year — is to blame for Kaseya’s attack.
Kaseya said outside experts, the FBI and a computer forensics firm are working on investigating the attack. The Cybersecurity and Infrastructure Security Agency (CISA) said Friday that they are aware of the attack and are “taking action to understand and address” it.
The company recommends on-premises customers keep their VSA servers offline “until further notice” and are advised to not click on any links sent from attackers.
Ransomware attacks have grown over the last 12 months by 93%, according to Check Point Research. North America saw a 32% increase of attacks in the last six months. The Head of Threat Intelligence at Check Point Software, Lotem Finkelsteen, predicted that the influx of these breaches are “only going to get worse.”
“I don’t think we’ve seen the peak for ransomware attacks,” he said in a statement. “The threat actors behind ransomware aren’t just becoming bigger, they’re becoming better at what they do.”