Ransomware attack of 200 firms by group behind Apple extortion attempt
A ransomware attack has potentially impacted hundreds of companies on the July 4th weekend, an attack by the same group that attempted to extort Apple in April.
On Friday, it was revealed IT management firm Kaseya has been the focus of a new ransomware attack, that deals with software tools it produces. The Florida-based Kaseya disclosed that its VSA software was part of a potential security incident, prompting the shutdown of its servers and notifying customers to shut down related VSA servers.
As Kaseya operates a platform for managed service providers (MSPs) to offer remote support and software update services to other businesses, ransomware could have been distributed using VSA servers to MSP clients. This has the potential to harm hundreds of companies that use MSPs that rely on Kaseya's platform.
According to security firm Huntress speaking to Gizmodo, three of its MSP clients had been affected, which could have affected as many as 200 smaller firms. "
MSPs with over thousands of endpoints are being hit," said Huntress senior security researcher John Hammond. "When an MSP is compromised, we've seen proof that it has spread through the VSA into all the MSP's customers."
The U.S. Cybersecurity and Infrastructure Security Agency issued a release on Friday, encouraging companies to read Kaseya's advisory and to shut down VSA servers immediately.
One very public victim of the attack is Sweden's supermarket chain Coop, which closed approximately 500 stores out of its 800 branches on Saturday while repairs were made to computer systems affected by the attack. Coop's MSP was Visma, which used the Kaseya suite.
According to Huntress, it is believed that the attack was caused by the ransomware hacking group "REvil," a well-known cybercriminal outfit. The group has a string of attacks to its name, including allegedly extorting $11 million out of meat supplier JBS after work at 13 processing plants ground to a halt.
In April, the group claimed it was "negotiating the sale of large quantities of confidential drawings of personal data with several major brands," and wanted Apple to pay a ransom to buy back data. The group also threatened to publish new data every day until the ransom was paid.
The group seemed to obtain its schematics from Apple supply partner Quanta Computer, and asked Quanta for $50 million. It is unknown how much it asked Apple for the data.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
On Friday, it was revealed IT management firm Kaseya has been the focus of a new ransomware attack, that deals with software tools it produces. The Florida-based Kaseya disclosed that its VSA software was part of a potential security incident, prompting the shutdown of its servers and notifying customers to shut down related VSA servers.
As Kaseya operates a platform for managed service providers (MSPs) to offer remote support and software update services to other businesses, ransomware could have been distributed using VSA servers to MSP clients. This has the potential to harm hundreds of companies that use MSPs that rely on Kaseya's platform.
According to security firm Huntress speaking to Gizmodo, three of its MSP clients had been affected, which could have affected as many as 200 smaller firms. "
MSPs with over thousands of endpoints are being hit," said Huntress senior security researcher John Hammond. "When an MSP is compromised, we've seen proof that it has spread through the VSA into all the MSP's customers."
The U.S. Cybersecurity and Infrastructure Security Agency issued a release on Friday, encouraging companies to read Kaseya's advisory and to shut down VSA servers immediately.
One very public victim of the attack is Sweden's supermarket chain Coop, which closed approximately 500 stores out of its 800 branches on Saturday while repairs were made to computer systems affected by the attack. Coop's MSP was Visma, which used the Kaseya suite.
According to Huntress, it is believed that the attack was caused by the ransomware hacking group "REvil," a well-known cybercriminal outfit. The group has a string of attacks to its name, including allegedly extorting $11 million out of meat supplier JBS after work at 13 processing plants ground to a halt.
In April, the group claimed it was "negotiating the sale of large quantities of confidential drawings of personal data with several major brands," and wanted Apple to pay a ransom to buy back data. The group also threatened to publish new data every day until the ransom was paid.
The group seemed to obtain its schematics from Apple supply partner Quanta Computer, and asked Quanta for $50 million. It is unknown how much it asked Apple for the data.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Comments
The groups that are committing these acts of cyber terrorism and extortion need to be hunted down and dealt with in the same manner that we would track down any terrorist group that intentionally deploys a weapon of mass destruction against our country. These are not computer games with bits, bytes, and fake money at stake. These attacks are a threat to human life and need to be dealt with accordingly.
"The US Cybersecurity and Infrastructure Agency, a federal body, said in a statement that it was taking action to address the attack and urging users of the Kesaya software to shut it down."
"At a summit in Geneva last month, US President Joe Biden said he told Russian President Vladimir Putin he had a responsibility to rein in such cyber-attacks.
Mr Biden said he gave Mr Putin a list of 16 critical infrastructure sectors, from energy to water, that should not be subject to hacking.
REvil - also known as Sodinokibi - is one of the most prolific and profitable cyber-criminal groups in the world.
The gang was blamed by the FBI for a hack in May that paralysed operations at JBS - the world's largest meat supplier."