Dutch security researchers were aware of the software vulnerability before it was exploited by the Russia-linked REvil ransomware group.

(CBS4) – As Americans celebrate the Fourth of July holiday weekend, cybersecurity professionals across the country plan to work overtime to address a massive supply chain ransomware attack. More than 1,000 companies found their data encrypted on Friday, according to the cybersecurity firm Huntress.

(credit: CBS)

In an update on Saturday morning, software provider Kaseya confirmed it was the victim of a sophisticated cyberattack targeting its VSA product. More than 36,000 customers use the VSA software, including managed service providers (MSPs) that oversee IT infrastructure for companies.

On Friday night, Kaseya CEO Fred Voccola said the company was aware of fewer than 40 MSPs affected. For each MSP targeted, there are dozens of companies at risk of compromise. Many small to medium-sized businesses hire MSPs because their company lacks the internal resources to manage IT infrastructure.

The number of impacted organizations is expected to increase. Huntress security researcher John Hammond estimated the attack could impact thousands of small businesses.

Huntress has attributed the attack with high confidence to the Russia-linked REvil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi. The criminal group provides malware kits for affiliates to launch cyberattacks in exchange for a cut of the profit.

REvil was recently behind the cyberattack in May that halted operations at more than a dozen JBS meatpacking plants, including the company’s North American headquarters in Greeley. JBS confirmed it paid the cybercriminals $11 million in Bitcoin.

JBS beef plant in Greeley (credit: CBS)

BleepingComputer and Bloomberg report REvil issued ransom demands on Friday ranging from $45,000 to $5 million in cryptocurrency.

“It’s possible that companies which decide to negotiate the demand may find themselves facing delays due to the possibly unprecedented number of simultaneous negotiations that REvil will need to handle. It’s simply another obstacle that victims may need to deal with,” said Brett Callow, threat analyst at cybersecurity firm Emsisoft.

REvil is behind some of the largest known ransom demands, including $42 million from entertainment law firm Grubman Shire Meiselas & Sacks. IBM Security X-Force reports REvil profited at least $81 million from extortion threats in 2020.

Dutch security researchers were aware of the Kaseya vulnerability before it was exploited by REvil. A software patch was already made but hadn’t yet been distributed, according to Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure.

Gevers says the exploit used by REvil was a zero-day, meaning the vulnerability was not yet widely known and Kaseya had not yet made the patch available to the public. The question remains how REvil found out about the zero-day and was able to exploit it.

The timing of Friday’s ransomware attack before the holiday weekend could be part of REvil’s strategy. JBS became aware of its ransomware attack over Memorial Day weekend, when employees were more likely to take time off. 

Supply chain attacks have become increasingly common. The SolarWinds attack, detected in late 2020, began with a corrupted software update that allowed Russian spies to access networks in at least 100 companies and nine federal agencies.

The U.S. Cybersecurity and Infrastructure Security Agency said it is taking action to address Friday’s supply chain attack. In a security advisory, Kaseya recommended customers immediately shut down their VSA server to prevent the attack from spreading. The company is working with the Federal Bureau of Investigation and an incident response firm to release a patch for on-premise customers along with a self-assessment tool so that companies can determine whether they were affected.

(credit: Federal Bureau of Investigation)

Kaseya said all on-premise VSA servers should remain down until further notice. Providers will need to install a patch before restarting the VSA. Customers who receive communication from the attackers should not click on any links, Kaseya said, because they could be “weaponized.”

Software-as-a-Service customers were never at risk, according to Kaseya. The company expects to restore service to those customers within the next 24-48 hours. Kaseya plans to provide updates about the attack throughout the weekend on its website.