BOSTON (AP) – Cybersecurity teams worked feverishly Sunday to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit.
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said. They reported ransom demands of up to $5 million.
The FBI said in a statement Sunday that it was investigating the attack along with the federal Cybersecurity and Infrastructure Security Agency, though “the scale of this incident may make it so that we are unable to respond to each victim individually.”
President Joe Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. He said he had asked the intelligence community for a “deep dive” on what happened.
The attack comes less than a month after Biden pressed Russian President Vladimir Putin to stop providing safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.
A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector – though few large companies, the cybersecurity firm Sophos reported. Ransomware criminals break into networks and sow malware that cripples networks on activation by scrambling all their data. Victims get a decoder key when they pay up.
The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.
In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies – VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.
CEO Fred Voccola of the breached software company, Kaseya, estimated the victim number in the low thousands, mostly small businesses like “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
Voccola said in an interview that only between 50-60 of the company’s 37,000 customers were compromised. But 70% were managed service providers who use the company’s hacked VSA software to manage multiple customers. It automates the installation of software and security updates and manages backups and other vital tasks.
Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed. Many victims may not learn of it until they are back at work on Monday. The vast majority of end customers of managed service providers “have no idea” what kind of software is used to keep their networks humming, said Voccola,
Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.
John Hammond of Huntress Labs, one of the first cybersecurity firms to sound the alarm on the attack, said he’d seen $5 million and $500,000 demands by REVil for the decryptor key needed to unlock scrambled networks. The smallest amount demanded appears to have been $45,000.
Sophisticated ransomware gangs on REvil’s level usually examine a victim’s financial records – and insurance policies if they can find them – from files they steal before activating the data-scrambling malware. The criminals then threaten to dump the stolen data online unless paid. It was not immediately clear if this attack involved data theft, however. The infection mechanism suggests it did not.
“Stealing data typically takes time and effort from the attacker, which likely isn’t feasible in an attack scenario like this where there are so many small and mid-sized victim organizations,” said Ross McKerchar, chief information security officer at Sophos. “We haven’t seen evidence of data theft, but it’s still early on and only time will tell if the attackers resort to playing this card in an effort to get victims to pay.”
Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a “zero day,” the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach – except to say that it was not phishing.
“The level of sophistication here was extraordinary,” he said.
When the cybersecurity firm Mandiant finishes its investigation, Voccola said he is confident it will show that the criminals didn’t just violate Kaseya code in breaking into his network but also exploited vulnerabilities in third-party software.
It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one. That same year, 400 U.S. dental practices were crippled in a separate attack.
One of the Dutch vulnerability researchers, Victor Gevers, said his team is worried about products like Kaseya’s VSA because of the total control of vast computing resources they can offer. “More and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote in a blog Sunday.
The cybersecurity firm ESET identified victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.
Kaseya says the attack only affected “on-premise” customers, organizations running their own data centers, as opposed to its cloud-based services that run software for customers. It also shut down those servers as a precaution, however.
Kaseya, which called on customers Friday to shut down their VSA servers immediately, said Sunday it hoped to have a patch in the next few days.
Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion’s share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.
Cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank said that while he does not believe the Kaseya attack is Kremlin-directed, it shows that Putin “has not yet moved” on shutting down cybercriminals.
AP reporters Eric Tucker in Washington, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.
MONTREAL – Travel company Transat AT Inc. reported a loss in its latest quarter compared with a profit a year earlier as its revenue edged lower.
The parent company of Air Transat says it lost $39.9 million or $1.03 per diluted share in its quarter ended July 31.
The result compared with a profit of $57.3 million or $1.49 per diluted share a year earlier.
Revenue in what was the company’s third quarter totalled $736.2 million, down from $746.3 million in the same quarter last year.
On an adjusted basis, Transat says it lost $1.10 per share in its latest quarter compared with an adjusted profit of $1.10 per share a year earlier.
Transat chief executive Annick Guérard says demand for leisure travel remains healthy, as evidenced by higher traffic, but consumers are increasingly price conscious given the current economic uncertainty.
This report by The Canadian Press was first published Sept. 12, 2024.
Dollarama Inc.’s food aisles may have expanded far beyond sweet treats or piles of gum by the checkout counter in recent years, but its chief executive maintains his company is “not in the grocery business,” even if it’s keeping an eye on the sector.
“It’s just one small part of our store,” Neil Rossy told analysts on a Wednesday call, where he was questioned about the company’s food merchandise and rivals playing in the same space.
“We will keep an eye on all retailers — like all retailers keep an eye on us — to make sure that we’re competitive and we understand what’s out there.”
Over the last decade and as consumers have more recently sought deals, Dollarama’s food merchandise has expanded to include bread and pantry staples like cereal, rice and pasta sold at prices on par or below supermarkets.
However, the competition in the discount segment of the market Dollarama operates in intensified recently when the country’s biggest grocery chain began piloting a new ultra-discount store.
The No Name stores being tested by Loblaw Cos. Ltd. in Windsor, St. Catharines and Brockville, Ont., are billed as 20 per cent cheaper than discount retail competitors including No Frills. The grocery giant is able to offer such cost savings by relying on a smaller store footprint, fewer chilled products and a hearty range of No Name merchandise.
Though Rossy brushed off notions that his company is a supermarket challenger, grocers aren’t off his radar.
“All retailers in Canada are realistic about the fact that everyone is everyone’s competition on any given item or category,” he said.
Rossy declined to reveal how much of the chain’s sales would overlap with Loblaw or the food category, arguing the vast variety of items Dollarama sells is its strength rather than its grocery products alone.
“What makes Dollarama Dollarama is a very wide assortment of different departments that somewhat represent the old five-and-dime local convenience store,” he said.
The breadth of Dollarama’s offerings helped carry the company to a second-quarter profit of $285.9 million, up from $245.8 million in the same quarter last year as its sales rose 7.4 per cent.
The retailer said Wednesday the profit amounted to $1.02 per diluted share for the 13-week period ended July 28, up from 86 cents per diluted share a year earlier.
The period the quarter covers includes the start of summer, when Rossy said the weather was “terrible.”
“The weather got slightly better towards the end of the summer and our sales certainly increased, but not enough to make up for the season’s horrible start,” he said.
Sales totalled $1.56 billion for the quarter, up from $1.46 billion in the same quarter last year.
Comparable store sales, a key metric for retailers, increased 4.7 per cent, while the average transaction was down2.2 per cent and traffic was up seven per cent, RBC analyst Irene Nattel pointed out.
She told investors in a note that the numbers reflect “solid demand as cautious consumers focus on core consumables and everyday essentials.”
Analysts have attributed such behaviour to interest rates that have been slow to drop and high prices of key consumer goods, which are weighing on household budgets.
To cope, many Canadians have spent more time seeking deals, trading down to more affordable brands and forgoing small luxuries they would treat themselves to in better economic times.
“When people feel squeezed, they tend to shy away from discretionary, focus on the basics,” Rossy said. “When people are feeling good about their wallet, they tend to be more lax about the basics and more willing to spend on discretionary.”
The current economic situation has drawn in not just the average Canadian looking to save a buck or two, but also wealthier consumers.
“When the entire economy is feeling slightly squeezed, we get more consumers who might not have to or want to shop at a Dollarama generally or who enjoy shopping at a Dollarama but have the luxury of not having to worry about the price in some other store that they happen to be standing in that has those goods,” Rossy said.
“Well, when times are tougher, they’ll consider the extra five minutes to go to the store next door.”
This report by The Canadian Press was first published Sept. 11, 2024.
TORONTO – The U.S. Consumer Financial Protection Bureau has ordered TD Bank Group to pay US$28 million for repeatedly sharing inaccurate, negative information about its customers to consumer reporting companies.
The agency says TD has to pay US$7.76 million in total to tens of thousands of victims of its illegal actions, along with a US$20 million civil penalty.
It says TD shared information that contained systemic errors about credit card and bank deposit accounts to consumer reporting companies, which can include credit reports as well as screening reports for tenants and employees and other background checks.
CFPB director Rohit Chopra says in a statement that TD threatened the consumer reports of customers with fraudulent information then “barely lifted a finger to fix it,” and that regulators will need to “focus major attention” on TD Bank to change its course.
TD says in a statement it self-identified these issues and proactively worked to improve its practices, and that it is committed to delivering on its responsibilities to its customers.
The bank also faces scrutiny in the U.S. over its anti-money laundering program where it expects to pay more than US$3 billion in monetary penalties to resolve.
This report by The Canadian Press was first published Sept. 11, 2024.
