Nearly 200 businesses were hit on Friday by a “colossal” ransomware attack that targeted widely used software from Kaseya, a Miami-based supplier.
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) said it is taking action to understand the recent supply-chain ransomware attack against Kaseya VSA
The attackers changed a Kaseya tool called VSA, used by firms that manage technology at smaller businesses. They then encrypted the files of those providers’ customers simultaneously.
CISA urged organisations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.
Security firm Huntress Labs said it was tracking eight managed service providers that had been used to infect some 200 clients. Kaseya said in a statement that only a very small percentage of customers were affected – estimated at fewer than 40 worldwide. Exact names of the companies hit by the attack are unknown.
“This is a colossal and devastating supply chain attack,” Huntress senior security researcher John Hammond said in an email, referring to an increasingly high profile hacker technique of hijacking one piece of software to compromise hundreds or thousands of users at a time.
Hammond added that because Kaseya is plugged in to everything from large enterprises to small companies “it has the potential to spread to any size or scale business.”
Many managed service providers use VSA, although their customers may not realise it, experts said.
Huntress Labs said it believed the Russia-linked REvil ransomware gang was responsible - the same group FBI accused for paralysing meat packer JBS and Acer, earlier this year.
The attack took place on Friday afternoon just in time companies across the US were setting off for the long holiday weekend.
Kaseya’s website says it has a presence in over 10 countries and more than 10,000 customers.
Includes reporting by Reuters