A ransomware attack disclosed last week by a Miami-based software provider spread to customers in six European countries, a company official said Thursday, showing how a hack targeting digital supply chains can quickly extend across industries and international borders.
A criminal hacking group used a Kaseya Ltd. product as a springboard to reach nearly 60 of the firm’s clients on July 2, the company said, launching a sprawling ransomware attack. After reaching those customers’ networks, hackers then jumped to their clients’ computer systems and locked up data of between 800 and 1,500 total victims, many of them small businesses.
Eight of Kaseya’s affected customers are in European countries, including the U.K., Netherlands, Germany, Sweden, Norway and Italy, said
Ronan Kirby,
president of the company’s Europe, Middle East and Africa unit. Cybersecurity experts say the tactics used to target the firm represent an escalation in the global ransomware boom and present new questions for businesses and policy makers racing to respond.
Mr. Kirby, speaking Thursday at a virtual event hosted by the Centre for Cyber Security Belgium, the country’s cyber authority, said Kaseya was a particularly appealing target because many of its customers are also technology-service providers with broad client bases of their own.
“You attack a company, you get into that company,” he said, adding that Kaseya’s own systems are secure. “You attack a service provider, you get into all their customers. You attack Kaseya, that’s a very different proposition.”
Kaseya said Thursday that it expects to release a patch for the software bug used by hackers to access its virtual system administrator product by Sunday afternoon. The company, which says the attack didn’t affect versions of the tool accessed through the internet, advised customers that access VSA servers through their offices to shut them down.
The criminal hacking group cyber researchers suspect to be behind the Kaseya attack, known as REvil, initially demanded $70 million in cryptocurrency to help unlock all the systems affected. Investigators responding to the incident say the Russian-speaking outfit also sent ransom demands to individual victim organizations ranging from $50,000 to $5 million.
Federal officials have yet to attribute the Kaseya incident to any particular hacking group. President Biden previously has pledged to work with partners in the European Union to pressure Russian President
to stop providing safe harbor to the criminal groups that the U.S. government says are behind similar hacks in recent months, including ransomware attacks on Colonial Pipeline Co. and meatpacker JBS SA.
“We are continuing to gather details on if this incident occurred with the knowledge or approval of the Russian government,” White House press secretary
Jen Psaki
said Thursday. The U.S. government will move to crack down on such groups if the Kremlin doesn’t, she said, declining to provide details.
Mr. Putin historically has denied such claims. The Russian embassy in Washington didn’t comment on the Kaseya incident. The White House didn’t respond to a request for additional comment.
As efforts to update Kaseya’s software and restore victims’ computer systems approach their second week, cybersecurity experts warn that the incident could preview more damaging ransomware attacks as the global economy grows more connected through technology.
Ransomware attacks launched through widely used software vendors, rippling across broader supply chains, are “something we should absolutely be concerned with,” said
John Hammond,
senior security researcher at cyber firm Huntress Labs Inc.
“If those [service providers] get compromised, that impact grows and causes more damage than we could ever have expected,” said Mr. Hammond, whose firm has been working with Kaseya to help investigate the breach. He added that the hack appears to have hit victims in various industries, including legal, finance and retail.
The Biden administration has made supply chain security a key part of its cyber strategy, including in a May executive order that heightened requirements for federal software suppliers. The action came after a hack of network-management company
SolarWinds Corp.
last year gave suspected Russian hackers access to computer systems in several government agencies and dozens of U.S. businesses.
But the Kaseya incident illustrates how criminal hacking groups are also stepping up their game, at times mimicking tactics used by nation-state attackers, said
Allan Liska,
senior solutions architect at the cyber firm Recorded Future. While Dutch researchers alerted Kaseya to previously unknown vulnerabilities in the VSA tool in April, hackers exploited the bug before the company patched it.
More From WSJ Pro Cybersecurity
“Finding a vulnerability is surprisingly hard,” Mr. Liska said, adding that it takes time and expertise. “It’s almost always [done] by nation-state actors, because those are the folks that are willing to spend the money.”
It is unclear how the Kaseya hackers learned of the vulnerability. Mr. Liska said his firm has tracked criminal hackers increasingly selling such information in dark-web forums for as much as $3 million.
“It seems like a steep price, but if you can get a $30 million ransom, it basically pays for itself in one attack,” he said.
The blockchain analysis firm Elliptic, which can track such transactions across crypto wallets, is monitoring ransom negotiations but has yet to see money change hands, co-founder and Chief Scientist
Tom Robinson
said. Some victims might have made payments that his company has yet to identify, he added.
The attack on Kaseya’s customers was so successful, Mr. Liska of Recorded Future said, that REvil affiliates appear to have fumbled subsequent extortion demands and negotiations.
“They were just overwhelmed by the number of victims,” Mr. Liska said of hackers’ attempts to monetize the incident. “That whole part is a complete disaster.”
Write to David Uberti at david.uberti@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8