A major ransomware attack has rocked the international business community in the last 48 hours. The attack was timed exquisitely to coincide with the U.S. July 4 long weekend.
Miami-based IT Management Software provider Kaseya was at the centre of the attack. Attackers managed to infiltrate Kesaya’s VSA desktop management tool and push through a malicious update. The update managed to infect tech management providers serving thousands of businesses.
Sweden hit hard
The Swedish grocery store chain Coop had to close all 800 stores because it could not operate its cash registers. According to Coop, a tool used to update its checkout registers remotely was affected by the attack, so payments could not be taken. A spokesman for the company announced the closure on Swedish Television on Saturday.
Elsewhere in Sweden, State railway services and a pharmacy chain also suffered disruption.
Swedish Defence Minister Peter Hultqvist told State television that the attack was “very dangerous” and showed how business and state agencies needed to improve their preparedness.
“In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos,” he said.
Attacks are targeted and sophisticated
Huntress Labs, a firm specialising in cybersecurity, was one of the first to raise the alarm.
John Hammond of Huntress Labs said that it was likely the REvil gang, a major Russian-speaking ransomware syndicate, was behind the attack. The FBI linked REvil to a May attack on JBS SA, a major global meat processer.
The federal Cybersecurity and Infrastructure Security Agency (CISA) said in a statement late Friday that it is working with the FBI to collect more information about the attack’s impact.
CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.”
The latest attack comes after Colonial Pipeline had to shutdown infrastructure that supplied 45 per cent of the U.S. East Coast’s fuel supplies in May.
These sophisticated attacks target supply chains to compromise a trusted service provider. Small businesses are particularly vulnerable as they rely on the security of their suppliers and the software those suppliers are using.
“What we are seeing now in terms of victims is likely just the tip of the iceberg,” said Adam Meyers, senior vice president of security company CrowdStrike.
President Joe Biden said on Saturday that he had directed U.S. intelligence agencies to investigate who was behind the attack.
Cyber terrorists preference for cryptocurrencies
Perpetrators of ransomware favour cryptocurrencies because decentralised digital currencies offer advantages compared to fiat currency.
Cybercriminals are moving away from established cryptocurrencies, such as Bitcoin, towards the privacy-centric Monero. Monero is being heavily utilised on dark web marketplaces and is becoming a new payment method of choice for ransomware demands because of its privacy features.
Colonial Pipeline paid nearly $5 million in cryptocurrency to hackers in May. The FBI later was able to recover $2.3 million in Bitcoin.
There have been no statements regarding the demand of hackers in this latest cyber attack.
This follows on from an announcement by the Morrison Government last week funding the first eight successful projects under round one of the $70 million Cyber Security Skills Partnership Innovation Fund, designed to help grow the local workforce and ensure a safe online environment for all Australians.