Up to 11 New Zealand schools using US firm’s Kaseya software are potential victims of a targeted cyberattack.
“Our analysis has shown that 11 schools out of 2400 may have been affected by the ransomware attack,” said a spokesperson from the Ministry of Education.
“We are working with those schools to provide them with support and will continue to identify if other schools have been impacted.”
- Kaseya ransomware attack: 8 things you need to know
- New Zealand edging closer to digital IDs
- NZ vs Big Tech: How can little New Zealand regulate Facebook and co?
One of those hit is St Peter’s College in Cambridge.
A message posted to Facebook informed parents that although the system was now stable – “all school systems are inactive and will be for at least the next 48 hours” – as a result of the attack.
St Peter’s broke up for a three-week school holiday break on Friday, so students aren’t impacted.
Local IT services firm Datacom has shut down its servers that use Kaseya software as a precautionary measure.
The attack has hit Swedish supermarkets too – 500 closed after their cash registers stopped working, the BBC reported.
Other victims include Dutch IT services companies VelzArt and Hoppenbrouwer Techniek.
In May the Waikato DHB in May had its entire computer system taken offline and left staff relying on manual processes to continue working.
This new attack is thought to be the single biggest global ransomware attack on record with thousands of companies worldwide impacted.
The attackers in this instance hacked into Managed Service Providers (MSPs) – and Kaseya is very popular with that sector.
Managed service providers provide IT infrastructure for companies that would rather outsource their IT rather than run it themselves.
Wired characterised the attack like this – “if you successfully hack an MSP, you suddenly have access to its customers. It’s the difference between cracking safe-deposit boxes one at a time and stealing the bank manager’s skeleton key.”
Jake Williams, chief technology officer of incident response firm BreachQuest has said that because of its ubiquity “Kaseya is the Coca-Cola of remote management.”
Prime suspects are the Russian-linked REevil ransomware group, fresh from extorting $11 million USD from meat-processor JBS after an attack in May that limited meat supplies in the States.
The FBI is investigating the Kaseya attack along with the federal Cybersecurity and Infrastructure Security Agency, though the FBI note that the scale of the incident “may make it so that we are unable to respond to each victim individually.”
Huntress Labs, a US security specialist firm, said it was aware of more than 1000 organisations having their data encrypted, including in Australia, Europe and South America.
In a Reddit thread the company has set up to provide information to those impacted, they say that the VSA procedure used to deploy the encryptor was named “Kaseya VSA Agent Hot-fix”.
It is thought that the hackers timed their attack to coincide with the fourth of July holiday in the US.
Unlike the Waikato DHB attack – which computer experts blamed on the DHB’s reliance on legacy software – the victims in this attack were relying on Kaseya to keep their systems running, and their data safe and secure.
According to Kaseya’s website more than 40,000 organisations around the world use one of Kaseya’s programmes which they refer to as “industry-leading IT solutions”.
Cyber Security watchdog CertNZ released a statement this morning – “Kaseya has released a tool that users can run to check their VSA server for signs of compromise. This can be requested by emailing email@example.com with the subject line “Compromise Detection Tool Request”.
Today Kaseya posted that their efforts have shifted – “from root cause analysis and mitigating the vulnerability to beginning the execution of our service recovery plan.”
But many think that the full impact of the Kaseya attack, both locally and globally, is still developing.