Number of victims in Kaseya ransomware attack still unclear

Frank Bajak/AP Technology Writer

Updated: Jul 6, 2021 / 10:42 AM CDT

A sign that reads: “Coop Forum supermarket in Vastberga is closed due to IT disturbances, no prognosis as to when we will open again”, on a closed Coop supermarket store in the suburb of Vastberga, Stockholm, Sweden, Saturday July 3, 2021. Cybersecurity teams worked feverishly Sunday July 4, 2021, to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. The Swedish grocery chain Coop said most of its 800 stores would be closed for a second day Sunday because their cash register software supplier was crippled. (Jonas Ekstromer/TT via AP, File)

(AP) — The company whose software was exploited in the biggest ransomware attack on record said Tuesday that it so far it appears that fewer than 1,500 businesses were compromised. But cybersecurity experts suspected the estimate was low and noted that victims are still being identified.

Miami-based Kaseya said in a prepared statement that it believed only about 800 to 1,500 of the estimated 800,000 to 1,000,000 mostly small business — customers of companies that use it software to manage IT infrastructure – were affected by the attack.

The statement was widely reported after the White House shared it with media outlets.

However, cybersecurity experts said it was too early for Kaseya to know the true impact of Friday’s attack, especially since it was launched by the Russia-linked REvil gang on the eve of the U.S. Fourth of July holiday and many targets may only be discovering it on returning to work Tuesday.

Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected in an email Sunday are managed service providers (MSPs) who have multiple customers downstream.

“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest.

The hacked Kaseya tool, VSA, remotely maintains customer networks, automating security and other software updates. Essentially, a tool designed to protect networks from malware was cleverly used to distribute it.

“It’s too soon to tell, since this entire incident is still under investigation,” said the cybersecurity firm Sophos, which has been tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into crippled managed service providers.

In an interview with The Associated Press on Sunday, Kaseya CEO Fred Voccola estimated the number of victims in “the low thousands.” The German news agency dpa reported earlier Sunday an unnamed German IT services company told authorities several thousand of its customers were compromised. Also among reported victims were two Dutch IT services companies.

A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, Sophos said.

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.

President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved.