Ransomware Attack By Suspected Russian Gang May Impact Thousands
July 5, 2021
Businesses scrambled on July 3 to respond to a ransomware attack
on an American IT provider that cybersecurity experts believe
was carried out by Russian criminal hackers.
Thousands of businesses around the world may be impacted by the
cyberattack, according to a cybersecurity researcher whose
company is responding to the incident.
The cyberattack hijacked widely used technology management
software from the U.S.-based company Kaseya on July 2.
One of Sweden's biggest grocery chains, Coop, said its 800
stores were closed because a remote tool used for its cash
registers was impacted, meaning payments can't be taken. Swedish
State Railways and a major local pharmacy chain were also
The Swedish news agency TT said Kaseya’s technology was used by
Swedish company Visma Esscom, which manages servers and devices
for a number of Swedish businesses.
Swedish Defense Minister Peter Hultqvist told Swedish Television
the attack showed how businesses and government need to boost
"In a different geopolitical situation, it may be government
actors who attack us in this way in order to shut down society
and create chaos," he said.
Kaseya urged customers in a statement on July 2 to immediately
shut down servers running the affected software and confirmed
that it had shut down some of its servers.
Kaseya said the attack was limited to a "small percentage" of
its customers, estimated at 40 worldwide. It said it was working
closely with a few security firms and U.S. government agencies.
But the ransomware could still be affecting many more companies
that rely on Kaseya's clients that provide broader IT services.
A cybersecurity researcher with Huntress Labs security firm
responding to the incident said “it's reasonable to think this
could potentially be impacting thousands of small businesses.”
John Hamman of Huntress said on Twitter that the criminals used
Kaseya’s network management package as a conduit to spread
ransomware through cloud service providers.
Hammond said that the REvil/Sodinikibi gang, a major
Russian-speaking ransomware syndicate, appears to be behind the
"Based on everything we are seeing right now, we strongly
believe this (is) REvil/Sodinikibi," Hammond said.
The FBI linked REvil to a ransomware attack in May on JBS, a
major global meat processer. Ransomware attacks render their
victims' data unusable by encrypting it until the victims pay
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
is closely monitoring this situation and is working with the FBI
to gather information about the impact of the incident, the
agency said in an e-mail to RFE/RL.
"We encourage all who might be affected to employ the
recommended mitigations and for users to follow Kaseya's
guidance to shut down VSA servers immediately," said Eric
Goldstein, executive assistant director for cybersecurity at the
Department of Homeland Security.
VSA is the company's flagship offering and is designed to let
companies manage networks of computers and printers from a
The latest cyberattack comes as CISA and the U.S. National
Security Agency (NSA) posted an advisory on July 1, detailing
how U.S. and British security agencies have exposed "brute
force" methods they say have been used by Russia's GRU
military-intelligence agency to conduct malicious
cyberactivities against hundreds of government and private
The advisory described cyberattacks carried out by operatives of
the GRU, which has been accused of involvement in attempts to
meddle in U.S. elections in 2016 and 2020, the hack in 2015 of
the German Bundestag, attacks on Ukraine's power grid, and many
U.S. President Joe Biden raised cybersecurity during his June
summit with Russian President Vladimir Putin. He said he told
Putin that certain types of critical infrastructure should be
off limits to cyberattacks.
Biden said he and Putin agreed to further discussions on those
types of attacks and on the pursuit of Russian-based criminals
carrying out ransomware attacks.
Prior to the ransomware attack on meatpacker JBS, a similar
attack on Colonial Pipeline, one of the largest pipeline
operators in the United States, forced the shutdown of fuel
supplies to much of the East Coast for nearly a week.
The U.S. Justice Department later said it had recovered most of
the bitcoin ransom paid to the suspected Russian-based DarkSide
cybercriminal group behind the attack on Colonial Pipeline.