NOWCAST KSBW Action News 8 at 11 pm
Watch on Demand
Advertisement

Ransomware hits hundreds of US companies, security firm says
By FRANK BAJAK, ERIC TUCKER and MATT O'BRIEN, Associated Press
Ransomware hits hundreds of US companies, security firm says
JENNIFER: AFTER A STRING OF RECENT CYBER ATTACKS, THE BINDEN ADMINISTRATION IS URGING CORPORATIONS TO GUARD AGAINST RANSOMWARE ATTACKS. JOINING US WITH ADVICE, JOSH KERRIGANRO F JOHNS HOPKINS INSTITUTE. WE'VE DEALT WITH THIS RECENTLY IN THE BALTIMORE AREA WITH THE CITY AND THE COUNTY SCHOOL SYSTEM. SO HOW DO YOUEFD D AGAINST SOMETHING LIKE THIS? >> IT IS ONE OF THE THINGS THAT'S DIFFICULT TO DEFEND AGAINST. THERE ARE, YOU KNOW, SOME BEST PRACTICES IN THE BIDEN ADMINISTRATION, LISTED FIVE OF THEM IN THEAT LEST GUIDANCE. THE BEST THING TO DO IS BACK UP DATAND A SYSTEMS AND HAVE GOOD QUALITY BACKUPS AND MAKE SURE YOU CAN RESTORE THEM. TEST THE PROCESS. YOU KNOW, THE OTHER GUIDANCE THEY HAD IN THERE WAS ALSO, LIKE, KEEP YROU SYSTEMS UPDATED AND PATCHED. TESTOR F -- RUN INCIDENT RESPONSE TESTS, YOU KNOW, WHEN UYO HEAV TO HAVE AN INCIDENT RESPONSE PLAN. IT'S OF VERY LITTLE USE UNLESS YOU TEST IT AND RUN THROUGH TABLETOP EXERCIS.SE AND PEN TEST. YOU NEED TO DO WHAT'S CALLED A PENETRATION TEST ON YOUR NETWORK WHERE YOU HIRE A THIRD PARTY TO EVALUATE THE SECURITY OF YOUR NETWORK TO SEE IF THEY CAN GET IN. IF THEY CAN GET IN, ATTACKERS CAN GET IN. THE GREAT THING ABOUT A TEN TEST IS THESE GUYS WILL TELL YOU HOW YOU NCA FIX YOUR SYSTEMS AND HOW YOU CAN MAKE SURE THAT THE ATTACKERS CAN'T GET IN AS WELL. THE FINAL PIECE OF ADVICE WAS SEGMENT YOUR NETWORK. >> WHAT DOESHA TT MEAN? >> THAT MEANS MAKE IT SO THAT UR NETWORK IS NOT ONE BIG, ESSENTIALLY, COLLECTION OF MPCOUTERS THAT EVERYBODY CAN SEE EVERYTHING ELSE. MAKE IT SO THE THAT WHEN YOU HAVE ONE SECTION OF YOUR NE TWORK, IT CAN'T REALLY ACCESS ANOTHER SECTION OF YOUR NETWORK. WH AT THAT DOES, IN EVENT OF YOU GETTING A RANSOMWARE ATTACK, IT GOES A LONG WAY TOWARDS MAKING SURE TTHA ATTACK IS ISOLATED AND DOESN'T SPREAD THROUGHOUT THE NETWORK. THE BALTIMORE CYIT RANSOMWARE ATTACK IS A GREAT EXAMPLEF OHY W YOU NEED SEGMENTATION. THAT SPREAD RAPRYID THRGHOU THE NETWORK. JENNIFER: AND PODEX HUGE VULNERABILITY. THE TIME TOCT IS NOW, NOT WHEN YOU'RE BEING HDEL HOSTAGE. >> THE TIME TO ACT WAS A WHILE AGO. THIS HAS BEEN GOING ON FOR YEARS. RANSOMWARE ATTACKERS HAVE BEEN GETTING GOOD ATHE T GAME. WE'VE SEEN THAT THEY WILL EXAMINE WHEN -- THEY PENETRATE THE NETWORK LONG BEFORE THE RANSOMWARE I DEPLOYED. ANDHE T TAKEHE T TEIM TO GO THROUGH YOUR NETWORK TO LOOK AT THE COMPANY'S REVENUEO S THEY KNOW HOW MUCH TO CHARGE WHEN THEY DEMAND A RANSOM. IT'S GOTTEN REMARKABLY SOPHISTICATED. THERE IS ONE PIE OCE ADVICE FROM THE BIDEN RECOMMENDATION THAT'S MISSING. I SEE THIS A LOT, ACTUALLY,N I CYBER SECURITY. THERE NEEDS TO BE A COMPREHENSIVE SECURITY AWARENESS PLAN, BEUSCAE A LOT OF TIMES, EVEN IF YOU HAVE THE GREATEST TECHNOLOGY SITTING THERE PROTECTING YOUR SYSTEMS, IF SOMEBODY SDSEN A PHISHING EMAIL OR MAKES A PHONE CALL TO AN EMPLOYEE WHO IS NOT SECURYIT FOCUSED, YOU KNOW, THEIR JOB IS OPERATIONAL, THEY WANT TO GET THINGS DONE, AND THEY INTERRUPT THAT PERSON WITH A REQUEST TO, HEY, LOOK AT THIS DOCUMENT, AND, OF COURSE, THE DOCUMENT HAS A MALICIOUS -- IS MALICIOUS, HAS MALICIOUS MACRO IN IT. THAT'S HOW THINGS GET INSTALLED. AND THAT'S LACKING NOT JUST IN THIS BUT IN A GENERAL SENSE. IT'S A BLIND SPOT IN THE INDUSTRY IS THAT WE DON'T REALLY THINK ABOUT THE PEOPLE IN THE EQUATION AND THAT'S ONE OF THE BIGGEST VULNERABILITIES. JENNIFER: REALLY GDOO ADVICE. I WISH WE HAD TEN M
Advertisement
Ransomware hits hundreds of US companies, security firm says
By FRANK BAJAK, ERIC TUCKER and MATT O'BRIEN, Associated Press
Related video above: Expert explains what defensive measures to take against cyberattacksA ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond's assessment."Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," Hammond said in a direct message on Twitter. "This is a colossal and devastating supply chain attack." Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a "small number" of its customers.Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said."This is SolarWinds with ransomware," he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added."There's zero doubt in my mind that the timing here was intentional," he said.Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit."We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted," Hammond said.Hammond wrote on Twitter: "Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi." The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.CISA urged anyone who might be affected to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as "one of Miami's oldest tech companies" in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.Brian Honan, an Irish cybersecurity consultant, said by email Friday that "this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers."He said it can be difficult for smaller businesses to defend against this type of attack because they "rely on the security of their suppliers and the software those suppliers are using."The only good news, said Williams, of Rendition Infosec, is that "a lot of our customers don't have Kaseya on every machine in their network," making it harder for attackers to move across an organization's computer systems.That makes for an easier recovery, he said.Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.___Bajak reported from Boston; O'Brien contributed from Providence, Rhode Island.

Related video above: Expert explains what defensive measures to take against cyberattacks

A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

Advertisement

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond's assessment.

"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," Hammond said in a direct message on Twitter. "This is a colossal and devastating supply chain attack."

Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a "small number" of its customers.

Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.

"This is SolarWinds with ransomware," he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.

Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.

"There's zero doubt in my mind that the timing here was intentional," he said.

Hammond of Huntress said he was aware of four managed-services providers — companies that host IT infrastructure for multiple customers — being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.

"We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted," Hammond said.

Hammond wrote on Twitter: "Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi." The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.

The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

CISA urged anyone who might be affected to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.

The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as "one of Miami's oldest tech companies" in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.

Brian Honan, an Irish cybersecurity consultant, said by email Friday that "this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers."

He said it can be difficult for smaller businesses to defend against this type of attack because they "rely on the security of their suppliers and the software those suppliers are using."

The only good news, said Williams, of Rendition Infosec, is that "a lot of our customers don't have Kaseya on every machine in their network," making it harder for attackers to move across an organization's computer systems.

That makes for an easier recovery, he said.

Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.

REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.

Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims — though the long U.S. holiday weekend might give it more time to start working through the list.

___

Bajak reported from Boston; O'Brien contributed from Providence, Rhode Island.

Top Picks

Record-setting 6 QBs taken in the top 12
Watch: Videos you may have missed this week
WATCH: Pilot proposes to flight attendant girlfriend in front of passengers
'We are not bad people': Couple detained in Turks and Caicos after bullets found in carry-on bag