REvil ransomware group strikes again with attack on hundreds of companies right before long holiday weekend

Alejandro Mayorkas
Homeland Security secretary Alejandro Mayorkas speaks speaks at a White House press briefing on March 1, 2021.

  • Russian-based REvil launched a ransomware attack on Friday that may have impacted hundreds of companies.
  • The group targeted IT management software provider Kaseya VSA in what’s known as a supply-chain attack.
  • REvil most recently attacked meat supplier JBS and received an $11 million payment from the company.
  • See more stories on Insider’s business page.

Just ahead of the long holiday weekend in the US, Russian-based REvil launched a ransomware attack that could have impacted hundreds of companies.

In what’s being called the “largest and most significant” ransomware attack to date by Emsisoft threat analyst Brett Callow, REvil targeted IT management software provider Kaseya VSA in what’s known as a supply-chain attack.

The attack on Kaseya has appeared to spread to hundreds of its end users, but given the timing of the attack, the full extent of the damage may not be known until next Tuesday as employees return to the office following the long 4th of July weekend.

REvil, which is a Russian-linked criminal ransomware-as-a-service organization, most recently attacked meat supplier JBS, which ultimately paid $11 million to get its processing plants back online.

After learning of the attack on Friday, Kaseya shut down its servers and began warning its customers, according to a company statement.

“While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability,” the company said, adding that it believes fewer than 40 of its customers were affected.

But many of Kaseya’s customers are service providers that in-turn have hundreds of customers who could have been infected with the ransomware attack.

“This is SolarWinds, but with ransomware. When a single MSP is compromised, it can impact hundreds of end users. And in this case it seems that multiple MSPs have been compromised,” Callow told Wired.

While the US government strongly discourages businesses from paying the ransom demands, many businesses have no choice as the encrypted data is essential to keep operations running. The hackers honor the terms of their ransom, as they want to build credibility that paying the fee will in fact get their data back.

The US Cybersecurity and Infrastructure Security Agency said on Twitter it is “taking action to understand and address the supply-chain ransomware attack” against Kaseya VSA.

Al Saikali, partner at law firm Shook, Hardy & Bacon LLP, told The Wall Street Journal that ransom demands in six Kaseya-related attacks it is consulting on range from $25,000 to $150,000. But for large service providers impacted by the attack, the ransom demands have been as high as $5 million.

Assuming REvil’s ransomware attack has compromised hundreds of companies, now the question is “how many simultaneous negotiations REvil can handle and whether companies that want to pay may face delays,” according to Callow.

Read the original article on Business Insider

Crippling attacks on US gas and meat suppliers expose the dangers of major companies’ reliance on patchwork cybersecurity

colonial pipeline
  • Recent ransomware attacks on key companies have wreaked havoc on US suppliers and consumers.
  • Cybersecurity experts say that while these firms may be large in scale, they’re not necessarily high-tech.
  • Large companies often have a mosaic of IT systems that can make them vulnerable to attack.
  • See more stories on Insider’s business page.

In his Senate testimony during a hearing last week on the Colonial Pipeline cyber attack, CEO Joseph Blount said hackers had penetrated a legacy system that was protected by a single password, rather than multi-factor authentication.

“It was a complicated password – I want to be clear on that – it was not a ‘Colonial123’-type password,” Blount said.

In normal operations, the company, which runs the nation’s largest oil and gas pipeline, uses a more robust authentication process to make remote access more difficult, he added. “We take cybersecurity very seriously.”

But Blount’s testimony also showed that Colonial relies on a variety of different countermeasures to defend its systems – systems that provide more than half the oil and gas consumed by the East Coast. Last month’s ransomware attack on Colonial forced a nearly-week long shutdown of its 5,500 miles of pipeline, causing a ripple effect of gasoline shortages and panic buying across parts of the East Coast.

Colonial is by no means alone. Meatpacking giant JBS was hit with a similar attack, and recently disclosed that it paid $11 million to the hackers. The New York subway system and a Massachusetts ferryboat operator have also recently been targeted.

Indeed, the FBI is now working with more than 90 ransomware victims across a range of critical infrastructure sectors, deputy director Paul M. Abbate said in a press conference on the partial recovery of Colonial’s $4 million ransom payment.

The Wall Street Journal reported that that ransomware incidents have tripled in the past year, according to FBI and reports from the private sector. The chief information security officer for pharmaceutical giant Johnson & Johnson, told a WSJ event that her company experiences around 15.5 billion cybersecurity incidents per day.

Experts told Insider that some companies reliance on patchwork cybersecurity systems means there are gaps for hackers to exploit, and that leaves key services and supply chains vulnerable to attack.

“These perpetrators are looking for places where there are sloppy cybersecurity practices,” said Mark Testoni, CEO of SAP’s national security arm, NS2. “Every company has a mosaic of systems, and they might come from a number of manufacturers.”

In other words, a company’s investment in state-of-the-art locks and cameras on its front door could be rendered ineffective if the windows aren’t well-secured too.

Doug Schmidt, a professor of computer science at Vanderbilt University, said the challenge can be especially pronounced when firms acquire or merge with others that continue to depend on legacy systems, like software for a key piece of equipment that will only run on Windows 95.

“A given system may be fairly secure, but when you start connecting it to other systems that it really wasn’t meant to work with, that leaves all kinds of opportunities for neglect, error, and surprise,” he said.

This can be even more problematic in lower-margin, highly consolidated industries like food and some utilities where companies might see cybersecurity more as an expense than an investment, especially for those that don’t perceive themselves to be a target.

“Imagine how it must just be like taking candy from a baby to go and hack these low-margin businesses that are building incrementally, and have very heterogeneous long tails of inadequate, unsecured, chaotic, error-filled legacy information systems,” Schmidt said.

For Testoni, episodes like the recent ransomware attacks underscore the need for a change of mindset among business leaders.

“The most important thing that every company needs to understand is every company is now a technology company,” he said. “They need to think like they’re a technology company, and they have to protect both their digital assets and their physical assets.”

Every incremental improvement helps reduce the overall risk, Testoni said, and will pay dividends later as the world only becomes more heavily networked.

Deputy Attorney General Lisa Monaco echoed that sentiment in her remarks on the Colonial ransom case, calling on corporate and community leaders to “invest the resources now.”

“Failure to do so could be the difference between being secure now – or a victim later,” she said.

Read the original article on Business Insider

The White House is urging private companies to take the threat of cyberattacks seriously as ransomware hacks ‘have increased significantly’

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks about the Colonial Pipeline cyber attack during the daily press briefing at the White House on May 10, 2021 in Washington, DC.

  • The Biden Administration is calling on the private sector to do more in the fight against cybercrime.
  • “The number and size of ransomware incidents have increased significantly,” the administration says.
  • The memo follows an attack on the world’s largest meatpacker, which shut down several US factories.
  • See more stories on Insider’s business page.

The private sector needs to do more to defend itself in the face of a rising cybersecurity threat, the White House said in a memo addressed to corporate executives and business leaders on Wednesday.

“The number and size of ransomware incidents have increased significantly,” wrote Anne Neuberger, Biden’s deputy national security advisor for cyber and emerging technology.

“The private sector also has a critical responsibility to protect against these threats,” she added. “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”

The memo follows the latest attack on a key resource supplier in the US by ransomware attackers said to be based in Russia. Over the weekend, the world’s largest meat processor, JBS, was forced to shut down much of its North American operations after an attack the FBI attributed to a group known as Pinchy Spider.

And in April, the Colonial Pipeline was temporarily shut down when the company’s IT infrastructure was held hostage by the hackers known as Darkside for a ransom worth $4.4 million.

This week, the New York subway system and a Massachusetts ferry operator were each victims of cyber attacks.

Business leaders should immediately discuss their risk exposure and response strategies, the memo said, including following guidance outlined in last month’s Executive Order on improving the country’s cybersecurity.

The “highly impactful steps” include using a multi-factor authentication system instead of relying on passwords, conducting regularly scheduled data backups, keeping systems updated, and segmenting networks so an attack doesn’t bring the whole system down.

“Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat,” the memo said.

Read the original article on Business Insider

JBS says meatpacking operations will be back to normal Wednesday after a ransomware attack over the weekend

General view of Brazilian meatpacker JBS SA in the city of Lapa, Parana state, Brazil, March 21, 2017. Picture taken March 21, 2017. REUTERS/Ueslei Marcelino
General view of Brazilian meatpacker JBS SA in the city of Lapa

  • JBS, the world’s largest meatpacking company, says it’s getting back online after a cyber attack.
  • The attack, believed to have originated in Russia, disrupted plants in the US and Canada.
  • Late on Tuesday, the company said its production should be back to normal on Wednesday.
  • See more stories on Insider’s business page.

Meatpacking operations are returning to normal Wednesday at JBS plants across the US and Canada, after a ransomware attack over the weekend against the world’s largest meat processor’s IT infrastructure, the company said.

“Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow,” JBS USA CEO Andre Nogueira said in a statement late on Tuesday.

The attack on the Brazil-based company is thought to have originated from a criminal organization based in Russia, the White House said, and the FBI is investigating.

JBS is responsible for about one-fifth of all US beef and pork processing capacity, and the disruption yesterday caused the US Department of Agriculture to delay the release of its daily price report. Bloomberg noted that excluding JBS’s data from the report could reveal proprietary information about its competitors.

In its statement on Tuesday, JBS said it was able to sell and ship product from nearly all of its North American facilities, and that it was not aware of any customer, supplier or employee data being compromised in the attack.

Livestock industry analysts did say that even a single day of disrupted supply could significantly impact the beef market, which is already seeing a trend of rising prices.

Last month, the cyber gang Dark Side executed a similar attack against the Colonial Pipeline, leading the fuel company to shut off its supply, leading to gasoline shortages across the southeast. The company ended up paying a ransom worth $4.4 million in bitcoin to the hackers.

The issue is getting rapidly larger with the rise of various cryptocurrencies. A recent study estimated that in 2020, more than $350 million worth of cryptocurrency was paid to hackers by victims of ransomware attacks, nearly four times the amount in 2019.

Read the original article on Business Insider

Up to one-fifth of US beef and pork capacity may be shut down after the ransomware attack on JBS, the world’s largest meat processing company

In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo
In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo

  • Brazilian meat processing giant JBS is the latest major firm to suffer a ransomware attack.
  • JBS has over 64,000 meatpackers in the US and is responsible for a fifth of beef and pork capacity.
  • The White House says the attack originated in Russia and that the FBI is investigating.
  • See more stories on Insider’s business page.

JBS, the world’s largest meat processing company, has become the latest major firm to fall victim to a ransomware attack, bringing some production to a halt, the company said on Monday.

The Brazil-based meatpacker’s US operations are headquartered in Greeley, Colorado, and control an estimated one-fifth of the country’s slaughtering capacity for beef and pork. The company employs more than 64,000 workers in the US, many of whom are reporting cancelled shifts during the stoppage.

“On Sunday, May 30, JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” the company said in a Monday statement.

“Resolution of the incident will take time, which may delay certain transactions with customers and suppliers,” the statement said.

A White House spokesperson said JBS notified the US government about the attack, which is thought to have originated in Russia. The FBI is investigating, as well.

“Even one day of disruption will significantly impact the beef market and wholesale beef prices,” a livestock trade publication wrote, while analysts told Reuters that the disruption to JBS’s business could lead to higher prices for meat and potential shortages in some areas if the shutdowns continue.

On Tuesday, the US Department of Agriculture delayed its daily wholesale price report, citing “packer submission issues.” Agriculture markets rely on the data, but leaving JBS out of the report could reveal proprietary information about its competitors, Bloomberg reported.

Last month, a cyber attack on Colonial Pipeline’s billing system led to supply shocks across the southeastern US when the company chose to shut off service for several days. Colonial quickly paid the $4.4 million ransom to the hacker group Dark Side.

“This decision was not made lightly, however, one that had to be made,” Colonial CEO Joseph Blount said in a statement.

Read the original article on Business Insider

Hacking group behind the cyberattack on a key US fuel pipeline is said to be disbanding

,

Out of service fuel nozzles are covered in plastic on a gas pump at a gas station in Waynesville, North Carolina, after a gasoline supply crunch caused by the Colonial Pipeline hack
Out of service fuel nozzles are covered in plastic on a gas pump at a gas station in Waynesville, North Carolina, after a gasoline supply crunch caused by the Colonial Pipeline hack

DarkSide, the ransomware group that attacked Colonial Pipeline last week, sending gasoline prices soaring, is reportedly shutting down, per a new report by the Wall Street Journal.

Citing sources who work in security, the Journal says DarkSide told associates it no longer has access to its servers and pointed to disruptions caused by a law-enforcement agency and pressure from the United States. The website associated with DarkSide was no longer active as of Thursday.

The group said it lost access shortly after President Joe Biden said: “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden said there wasn’t any evidence the Russian government was behind the attack, but those involved “are living in Russia.” The Journal, alongside the website Oil Price says it’s possible the US successfully disrupted the hackers.

The announcement of its shutdown could also be a cover, however, in which the hackers shut themselves down and take all the money. In fact, the Journal reports, it’s not uncommon for ransomware groups to disband only to reappear later under different names.

DarkSide made headlines this week for attacking Colonial Pipeline, which operates the country’s largest refined products pipeline and supplies 45% of all fuel consumed on the East Coast. After news of the attack spread, people began panic-buying gasoline, which sent gas prices soaring to over $3 for the first time since 2014.

Per those familiar with the matter, Colonial Pipeline is said to have paid nearly $5 million to the hackers in order to free the pipeline. The pipeline shut down on May 7 and was restarted on Wednesday. As of Saturday morning, operations have returned to normal, the company announced via Twitter.

Ransomware made over $400 million last year and has been emerging as a profitable criminal business, according to blockchain research firm Chainalysis Inc. Security researchers told the Journal Darkside had become prominent within the world of ransomware. Within its first seven months of operation, the firm made at least $60 million – $46 million of which came in the first quarter of this year, Chainalysis Inc. found.

Read the original article on Business Insider

A ransomware attack has forced the shut down of the largest US fuel pipeline, which carries nearly half the fuel consumed by the East Coast

Colonial Pipeline
Trucks line up at a Colonial Pipeline facility.

  • The largest US refined fuel pipeline operator, Colonial Pipeline, says it was the victim of a cyber attack.
  • The attack forced the company to halt operations of its 5,500 miles of pipeline.
  • Colonial transports approximately 45% of all fuel consumed on the East Coast.
  • See more stories on Insider’s business page.

Colonial Pipeline, the largest US refined fuel pipeline operator, has shut down operations because of a cyber attack, the company said.

The incident involved ransomware, the company said on Saturday. It did not give further details of the attack or who who might have carried it out.

After learning it was “the victim of a cybersecurity attack,” the pipeline operator on Friday took some systems offline, temporarily halting pipeline operations and certain IT systems. It also hired an outside cybersecurity firm, the company said in a statement.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” the statement said.

The company is the country’s largest refined products pipeline operator, transporting more than 100 million gallons of gasoline, diesel, jet fuel, and home heating oil, daily through a pipeline system that spans 5,500 miles from Houston, Texas to the New York area.

Colonial’s pipelines transport approximately 45% of all fuel consumed on the East Coast, according to its website.

Federal authorities and law enforcement have also been contacted about the attack, according to Colonial.

Cybersecurity experts have long warned that critical parts of the national infrastructure could be vulnerable to a cyber attack. The Biden administration last month rolled out an initiative to ramp up cybersecurity of the nation’s power grid.

“Unfortunately, the cyber attack against Colonial Pipeline is only a teaser of the future of cyber attacks,” said Grant Geyer, Chief Product Officer at industrial cybersecurity company Claroty. “As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target,” Geyer said.

Ransomware is a kind of malware that can lock you out of your computer files unless you agree to pay a ransom fee. The attack is considered to be the most severe cybersecurity threat facing government agencies and private companies. Last year, criminals paralyzed thousands of companies and organizations by locking up their computer networks and demanding a ransom.

The incident comes as demand for travel, and fuel, heats up heading in to the summer months as more people get vaccinated for COVID-19 and pandemic restrictions are lifted. Colonial did not say how long it expects its operations to be shut down. A prolonged shut down could cause turmoil in fuel markets next week. Gasoline futures gained 0.6% on Friday.

The attack on Colonial follows a string of high profile breaches. SolarWinds, a Texas-based IT firm, was the subject of a cyberattack that went undetected for months – as a result of the hack, foreign attackers were able to spy on private companies as well as government agencies, including the Treasury Department and the Department of Homeland Security.

Earlier this year, thousands of organizations across the US were hacked through flaws in Microsoft’s Exchange server email software.

Read the original article on Business Insider

A cyberattack forced a temporary shut down of the largest US fuel pipeline, which carries nearly half the fuel consumed by the East Coast

Colonial Pipeline
Trucks line up at a Colonial Pipeline facility.

  • The largest US refined fuel pipeline operator, Colonial Pipeline, says it was the victim of a cyber attack.
  • The attack forced the company to halt operations of its 5,500 miles of pipeline.
  • Colonial transports approximately 45% of all fuel consumed on the East Coast.
  • See more stories on Insider’s business page.

Colonial Pipeline, the largest US refined fuel pipeline operator, has shut down operations because of a cyberattack, the company said.

After learning it was “the victim of a cybersecurity attack,” the pipeline operator on Friday took certain systems offline, temporarily halting pipeline operations and certain IT systems. It also hired an outside cybersecurity firm that is investigating the severity of the breach, the company said in a statement.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” the statement said.

Federal authorities and law enforcement have also been contacted, according to Colonial.

The company is the country’s largest refined products pipeline operator, transporting more than 100 million gallons of gasoline, diesel, jet fuel, and home heating oil daily through a pipeline system that spans 5,500 miles from Houston, Texas to the New York area.

Colonial pipelines transport approximately 45% of all fuel consumed on the East Coast, according to its website.

Colonial did not say how long it expects its operations to be shut down.

Gasoline futures gained 0.6% on Friday.

Read the original article on Business Insider

What is cybersecurity? A guide to the methods used to protect computer systems and data

cyber security
Cybersecurity is the protection of computer systems from cyberattacks and is a rapidly growing industry.

  • Cybersecurity is the practice that protects computer technology and data systems from attack.
  • It’s a huge, multi-billion dollar industry and consists of many kinds of security practices.
  • The threat landscape is always evolving, but current threats to cybersecurity include malware, phishing, and denial-of-service attacks.
  • Visit Insider’s Tech Reference library for more stories.

Cybersecurity is the practice of protecting all forms of computer technology from malicious attacks. It includes the preservation of computers, servers, mobile devices, networks, applications, and data in the event of damage, destruction, and unauthorized access. As an industry, cybersecurity is enormous and growing to help protect everyone from new and evolving threats.

What is malware? Everything you need to know about malicious software and viruses, and how to protect your computerWhat is a computer virus? Here’s how to spot signs of viruses and avoid themWhat is phishing? Here’s what you should know about the virtual scamming technique and how to protect yourself from data theftRansomware can encrypt your files and force you to pay money – here’s how to avoid ransomware, or deal with an infection

Read the original article on Business Insider