A successful ransomware attack on a single company has spread to at least 200 organizations, according to cybersecurity firm Huntress Labs, making it one of the single largest criminal ransomware sprees in history.
The attack, first revealed Friday afternoon, is believed to be affiliated with the prolific ransomware gang REvil and perpetuated through Kaseya, an international company that remotely controls programs for companies that, in turn, manage internet services for businesses.
Kaseya announced Friday afternoon it was attacked by hackers and warned all its customers to immediately stop using its service.
At least four of Kaseya’s immediate customers were hacked, said John Hammond, a senior security researcher at Huntress, which is helping with Kaseya’s response.
Since those Kaseya customers manage an untold number of businesses, it is unclear how many will fall victim to ransomware over the weekend, but Huntress’ count is already around 200, Hammond said, with that number expected to rise.
The timing, just ahead of Fourth of July weekend, is unlikely to be a coincidence. Ransomware hackers often time their attacks to start at the beginning of a holiday or weekend, as that minimizes the number of cybersecurity professionals who might be able to quickly jump on and stop the malicious software’s spread.
The malicious software used to encrypt victims’ computers appears similar to the type normally used by REvil, a ransomware gang largely composed of Russian-speakers, multiple researchers have found. In the past, REvil has attempted “supply chain” compromises, where a hacker goes after a target that is connected to multiple organizations, in the hopes that one successful compromise will lead to many more.
The U.S. Cybersecurity and Infrastructure Security Agency announced Friday evening that it is “taking action to understand and address” the attack.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said his agency and the FBI have begun assessing the scenario.
“CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact,” Goldstein said in an emailed statement.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance,” he said.