REvil Ransomware Syndicate Allegedly Behind Holiday Weekend Hack of At Least 200 Companies

Ahead of the three-day Fourth of July weekend, the REvil gang is suspected to be behind a new ransomware attack Friday that affected at least 200 companies in the U.S.

REvil, based in Russia, was likely behind the JBS Meat Packing attack in May, according to the FBI. The Flashpoint Intelligence Platform has suggested that former REvil members were involved in the recent Colonial Pipeline attack earlier this year as well, allegedly done by the DarkSide ransomware group.

By launching an attack ahead of a three-day weekend, the hackers can take advantage of reduced numbers of IT workers available to fix the problems. The latest attack is on Kaseya, a network management company.

"There's zero doubt in my mind that the timing here was intentional," Jake Williams, president of Rendition Infosec, told The Associated Press.

"The increasing diversity of infrastructure and the tools we use to manage and secure it makes supply chain attacks like this both an attractive target to attackers, and a huge challenge for security and IT teams to manage. And in this case, though it's still early, it looks like attackers are leveraging the one-to-many relationship of MSPs to cause maximum impact, especially right before a holiday weekend in the U.S.," Daniel Trauner, senior director of security at Axonius, told Newsweek.

ransomware kaseya july fourth weekend
REvil is suspected of launching an attack on network management company Kaseya. iStock/Getty

For more reporting from the Associated Press, read below.

A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond's assessment.

"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," Hammond said in a direct message on Twitter. "This is a colossal and devastating supply chain attack."

Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a "small number" of its customers.

Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.

"This is SolarWinds with ransomware," he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.

Cybersecurity researcher Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.

"There's zero doubt in my mind that the timing here was intentional," he said.

Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.

"We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted," Hammond said.

Hammond wrote on Twitter: "Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi." The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.

The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

CISA urged anyone who might be affected to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.

The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as "one of Miami's oldest tech companies" in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.

ransomware kaseya july fourth weekend
The attack on Kaseya is believed to affect at least 200 U.S. companies. iStock/Getty

Update (7/2, 8:35 p.m.): This has been updated to include a comment from Daniel Trauner.