Businesses impacted by the Kaseya cyberattack include a number of UK organisations and a kindergarten group in New Zealand.
As the fallout from the latest US ransomware attack continues, the number of businesses affected could be as high as 1,500.
Last Friday (2 July), Miami-based software supplier Kaseya reported a “sophisticated attack” on its VSA software, a set of tools used by IT departments to manage and monitor computers remotely.
The cybercriminals responsible for the attack found a vulnerability in Kaseya’s supply chain and used a malware protection program to deliver ransomware code to businesses that use the software.
While the company initially estimated that only about 40 customers had been directly affected, the impact of the attack spread further because its customers include managed service providers (MSPs) that use the software to service other businesses.
In a security update yesterday (5 July), Kaseya said it is aware of fewer than 60 customers directly compromised by the attack.
“While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to be fewer than 1,500 downstream businesses.”
The company said its VSA tool is the only product affected by the attack and that no new reports of compromises for VSA customers have been reported since Saturday (3 July).
The company estimated that its SaaS servers will be back online later today, but a final decision will be made this morning first.
It also said it met the FBI and the US Cybersecurity and Infrastructure Security Agency to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.
Impact around the world
Cybersecurity firm Huntress Labs, which was investigating the incident, said companies across the US, Australia, the EU and Latin America had been hit.
This includes a Swedish grocery store chain that had to close hundreds of stores, and a kindergarten group in New Zealand.
The kindergarten group’s chief executive, Amanda Coulston, said computers at its Porirua headquarters had been infected with ransomware, but the group was not aware of any computers at its kindergartens being compromised.
The New Zealand education ministry reported on Sunday that 11 schools might have fallen victim to ransomware attacks as a result of the Kaseya incident, but this number was revised and is believed to only be two schools.
Meanwhile, the UK’s National Cyber Security Centre (NCSC) said it has seen evidence of “a limited impact to UK organisations”, but it remains vigilant to any threats.
Speaking at a virtual event just a few weeks ago, NCSC CEO Lindy Cameron said ransomware attacks are about more than data being breached.
“Too often this is seen as an issue around data, and actually most serious ransomware attacks are the ones that paralyse services, where effectively people are unable to operate systems that are often critical to their existence or their profitability.”
The attack
Ransomware-as-a-service cybergang REvil has taken responsibility for the cyberattack, claiming it infected more than a million systems.
REvil has demanded $70m in ransom for a universal decryption tool promising to decrypt files of all victims in less than an hour. If paid, it could become the highest ransomware payment ever made.
However, paying ransom is not advised and security experts have said regardless of paying the ransom, it could take weeks for impacted businesses to recover.
Speaking to Reuters about Coop, the Swedish grocery chain hit in the attack, ESET Nordics’ chief technology officer, Anders Nilsson, said: “It doesn’t really matter if they pay or not, they are still going to take time to restore all the machines.”