The UK government is seeking British victims of the Kaseya ransomware attack over the weekend – the biggest global ransomware attack on record.
National Cyber Security Centre (NCSC), which is part of government intelligence agency GCHQ, said it’s currently ‘investigating its impact on the UK’.
It’s not known how many or which British firms are affected by the ransomware attack on Friday, which was courtesy of Russian hacking group REvil.
REvil – which managed to breach the systems of US-based software firm Kaseya – is demanding $70 million (£50.5 million) in cryptocurrency to fix it.
The hackers managed to bring down the firms by infiltrating VSA, a piece of Kaseya software that is used to manage much larger IT networks.
The National Cyber Security Centre (NCSC) said it is currently investigating the impact of the Kaseya ransomware attack on the UK
Each victim’s IT systems are scrambled and rendered un-usable, but if the ransom is paid, hackers deliver a decryptor key that unscrambles the network.
Analysts said it is no coincidence that it coincided with July 4 – Independence Day in the US – when US companies would be understaffed and less able to respond over the long weekend.
MailOnline has contacted NCSC regarding the specific UK firms that are confirmed to have been impacted by the mass extortion attack.
‘We are aware of a cyber incident involving Kaseya, and we are investigating its impact on the UK,’ the NCSC said in a statement.
‘Ransomware is a growing, global cyber threat, and all organisations should take immediate steps to limit risk and follow our advice on how to put in place robust defences to protect their networks.’
Ciaran Martin, founder of NCSC, told Radio 4: ‘The scale and sophistication of this global crime is rare, if not unprecedented.
‘It is a really serious, global operation.’
Kaseya said just a few dozen of its customers were directly affected by the attack, but knock-on effects have brought down firms in 17 countries.
According to a spokesperson for London software company Egress, UK customers are ‘believed to have been affected alongside those in the US, Canada, Germany, South Africa and Colombia’.
It has wiped out more than 500 Coop grocery stores in Sweden, as well as schools in New Zealand and two major Dutch IT firms.
Each victim’s IT systems are scrambled and rendered un-usable, but if the ransom is paid, hackers deliver a decryptor key that unscrambles the network
Geography of attempted attacks resulting from the original breach of Kaseya, based on Kaspersky’s telemetry
Coop had to close hundreds of stores on Saturday because its cash registers had been knocked offline as a consequence of the attack.
Meanwhile, Kaspersky said it has observed more than 5,000 attack attempts in 22 countries. The most affected were Italy, followed by the US, Colombia, Germany and Mexico.
REvil is best known for extorting $11 million from the meat-processor JBS back in May this year after a Memorial Day attack.
This time, REVil infected Kaseya, a provider of IT management software for managed service providers (MSPs) – companies that remotely manage a customer’s IT infrastructure.
Essentially, REvil used Kaseya’s access to breach not only its clients, but its clients’ clients – in other words, both MSPs and their customers.
This set off a chain reaction that paralysed computers of hundreds of firms worldwide.
REVil has an affiliate structure, occasionally making it difficult to determine who speaks on the hackers’ behalf, Reuters reports.
But Allan Liska of cybersecurity firm Recorded Future said the message ‘almost certainly’ came from REvil’s core leadership.
Ian Porteous at IT security firm Check Point Software said any company running Kaseya’s VSA should ‘unplug it from the network right now, although it might be too late’.
‘Check with security product vendors to verify protections are in place for REvil ransomware,’ he added.
‘If help is needed, call in a team of experts to help verify the situation within the environment.’
NCSC also tweeted its list of nine steps to take ‘if your organisation is already infected’, including disconnecting infected computers, laptops or tablets from all network connections.
UK Prime Minister Boris Johnson is yet to publicly address the attack. In the US, meanwhile, the White House said on Sunday that it was reaching out to victims of the outbreak ‘to provide assistance based upon an assessment of national risk’.
US President Joe Biden, who last month warned President Putin to take action against hacking groups targeting the US from Russia, said the FBI is investigating the latest hack and he will take action if Moscow is deemed to be responsible.