A U.S. IT provider that was been hit by a major ransomware attack on the eve of a long holiday weekend in the United States is scrambling to help its customers get their systems running again while it works with the U.S. government to determine the extent of the attack.
The Florida-based company said its CEO would be interviewed on U.S. television on July 4 regarding the incident, a sophisticated ransomware attack that cybersecurity experts believe was carried out by Russian criminal hackers.
The gang known as REvil is suspected of hijacking Kaseya's desktop management software and pushing a malicious update that infected tech management providers serving thousands of business.
Kaseya said it was working with the FBI and that only about 40 of its customers were impacted directly. But the ransomware could still be affecting many more companies that rely on Kaseya's clients.
Kaseya issued an updated response late on July 3 in which it did not comment on how many customers were management providers that in turn would have spread the malicious software to others. It also did not say how much ransom had been demanded or whom the company suspects as the perpetrator.
Kaseya has "unfortunately been the victim of a sophisticated cyberattack," the statement said, adding that it believes the attack is limited to a "very small number of on-premises customers."
It said all affected servers should remain offline until further instructions from Kaseya. The company said it would provide an update on July 4 about a patch that will be required before the servers can be restarted.
It also said outside experts had advised that customers who receive communication from the attackers should not click on any links "as they may be weaponized."
The FBI issued a statement saying it was investigating the matter in coordination with the U.S. Cybersecurity and Infrastructure Security Agency.
President Joe Biden said he has directed U.S. intelligence agencies to investigate who was behind the attack.
Biden, who raised the threat of cyberattacks in a summit last month with Russian President Vladimir Putin, added that he would know more on July 4 about whether the attack on Kaseya was "either with the knowledge of and-or a consequence of Russia."
Huntress Labs, a security firm that was one of the first to sound the alarm, said thousands of small companies might have had files encrypted by the cybercriminals, who left electronic messages asking for ransom payments of thousands or millions of dollars.
One of Sweden's biggest grocery chains, Coop, said its 800 stores were closed on July 3 because a remote tool used for its cash registers was impacted, meaning payments couldn't be taken. Swedish State Railways and a major local pharmacy chain were also affected.
The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
Swedish Defense Minister Peter Hultqvist told Swedish Television that the attack was "very dangerous" and showed how businesses and state agencies needed to improve their preparedness.
"In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos," he said.
Some experts speculated that the timing of attack immediately before the U.S. Independence Day holiday weekend, was aimed at spreading the ransomware while employees were away from their job.
