Related<\/h3>\n
![](\"https:\/\/img.huffingtonpost.com\/asset\/60da0859260000f839521a1b.jpeg?cache=18cshqmrh1&ops=160_90\")
\n![](\"https:\/\/img.huffingtonpost.com\/asset\/60d88180260000ed3151fcef.jpg?cache=rf3kfo2bqg&ops=160_90\")
\n![](\"https:\/\/img.huffingtonpost.com\/asset\/60d7a6bd4100005235818509.jpeg?ops=160_90\")
\n![](\"https:\/\/img.huffingtonpost.com\/asset\/60dc1fd5260000e33c521c33.jpeg?cache=pvfpfnhpye&ops=160_90\")
<\/p>\n
WASHINGTON (AP) \u2014 A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.<\/p>\n
The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond\u2019s assessment.<\/p>\n
\u201cKaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,\u201d Hammond said in a direct message on Twitter. \u201cThis is a colossal and devastating supply chain attack.\u201d<\/p>\n
Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.<\/p>\n
It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement\u00a0on its website\u00a0to immediately shut down servers running the affected software. It said the attack was limited to a \u201csmall number\u201d of its customers.<\/p>\n
Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.<\/p>\n
\u201cThis is SolarWinds with ransomware,\u201d he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.<\/p>\n
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It\u2019s no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.<\/p>\n
\u201cThere\u2019s zero doubt in my mind that the timing here was intentional,\u201d he said.<\/p>\n
Hammond of Huntress said he was aware of four managed-services providers \u2014 companies that host IT infrastructure for multiple customers \u2014 being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.<\/p>\n
\u201cWe currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,\u201d Hammond said.<\/p>\n
Hammond wrote on Twitter: \u201cBased on everything we are seeing right now, we strongly believe this (is) REvil\/Sodinikibi.\u201d The FBI\u00a0linked the same ransomware provider\u00a0to a May\u00a0attack on JBS SA, a major global meat processer.<\/p>\n
The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.<\/p>\n
CISA urged anyone who might be affected to \u201cfollow Kaseya\u2019s guidance to shut down VSA servers immediately.\u201d Kaseya runs what\u2019s called a virtual system administrator, or VSA, that\u2019s used to remotely manage and monitor a customer\u2019s network.<\/p>\n
The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as \u201cone of Miami\u2019s oldest tech companies\u201d in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.<\/p>\n
Brian Honan, an Irish cybersecurity consultant, said by email Friday that \u201cthis is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers.\u201d<\/p>\n
He said it can be difficult for smaller businesses to defend against this type of attack because they \u201crely on the security of their suppliers and the software those suppliers are using.\u201d<\/p>\n
The only good news, said Williams, of Rendition Infosec, is that \u201ca lot of our customers don\u2019t have Kaseya on every machine in their network,\u201d making it harder for attackers to move across an organization\u2019s computer systems.<\/p>\n
That makes for an easier recovery, he said.<\/p>\n
Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion\u2019s share of ransoms.<\/p>\n
REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.<\/p>\n
Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims \u2014 though the long U.S. holiday weekend might give it more time to start working through the list.<\/p>\n
![](\"https:\/\/img.huffingtonpost.com\/asset\/60ddfafb2600003441521ea8.jpeg?cache=aovip2ht95&ops=160_90\")