A chain of supermarkets in Switzerland is one of possibly thousands of potential victims in a new REvil ransomware gang attack that has targeted companies using information technology management software from Kaseya Ltd.

The new REvil attack came ahead of the Independence Day holiday in the U.S. today. According to Bleeping Computer, the attack targeted managed service providers using Kaseya VSA in a supply-chain attack. Kaseya VSA is a cloud-based MSP platform that allows providers to automate software patch management and vulnerability management to ensure all systems are up to date.

Among the first confirmed victims is Coop, a Swiss supermarket chain. The company was forced to close about 500 stores starting Friday after it first detected the compromise. Coop confirmed that the attack pathway was Kaseya VSA through a third-party provider and that the attack disabled cash registers, self-serving stations and other in-store payments.

Kaseya also confirmed that it had been targeted, saying earlier today that it had been the victim of a “sophisticated cyberattack.” Exactly how many Kaseya users may have been affected is unclear, with some suggesting thousands. The company itself claims that “this has been localized to a very small number of on-premises customers only.”

Although Kaseya may be correct, when trying to work out the actual number of victims, the number of MSPs using Kaseya VSA is not the main consideration versus how many customers of MSPs were then affected.

Whatever the number, it will likely be considerable. The U.S. Federal Bureau of Investigation said Saturday that it had launched an investigation and that it was working with Kaseya and the Department of Homeland Security Cybersecurity & Infrastructure Agency. The FBI encouraged Kaseya users to employ all recommended mitigations, including shutting down VSA servers immediately.

Russian links

The attack has also gained the attention of The White House, with U.S. President Joe Biden directing intelligence agencies to investigate who was behind the attack. “The initial thinking was it was not the Russian government, but we’re not sure yet,” Biden told reporters while visiting Michigan.

REvil, also known as Sodinokibi, has been linked to Russia in the past, although not the Russian government directly. The gang typically encrypts and steals data then threatens to publish the stolen data if a ransom is not paid.

In an attack on Acer Inc. in March, the group demanded a ransom payment of $50 million, while an attack on meat processing firm JBS S.A. resulted in the company paying a ransom of $11 million. Recent victims include clothing maker French Connection Group plc and Brazillian medical diagnostic company Grupo Fleury in June.

“The deliberate nature of ransomware and purpose-built attacks that target widely deployed system management software is now combined as part of a one-two punch by the REvil group,” Anuj Goel, chief executive officer and founder of threat intelligence solution company Cyware Labs Inc., told SiliconANGLE. “This represents an enormous and quite alarming trend using ransomware for financial gain as much as it leverages the connectedness of the supply for maximum reach, where so many of Kaseya’s customers are MSPs — the proliferation effect is massive.”

James Shank, Ransomware Task Force committee lead for worst-case scenarios and chief architect for community services at internet security firm Team Cymru Inc., noted that vendors and supply chains enable business growth and efficiency, but they also create high-value targets for attackers.

“With SolarWinds, CodeCov and now Kaseya being some of the recent software and IT system supply chain attacks that enabled attackers to hit their customers, the writing on the wall is crystal clear: Attackers are looking for ways to compromise supply chain vendors to amplify their reach into victims,” Shank explained. “During the Ransomware Task Force worst-case scenarios thought experiment, this exact scenario was identified as a critical weakness. Each of these connections can be a pathway for massively good things, but also opens the door to a shared fate scenario, where a security incident at your supplier is likely to also become an incident on your network.”

Photo: Ch-info/Wikimedia Commons