The company whose software was exploited in the biggest ransomware attack on record said Tuesday that it so far it appears that fewer than 1,500 businesses were compromised. But cybersecurity experts suspected the estimate was low and noted that victims are still being identified.
Miami-based Kaseya said in a prepared statement that it believed only about 800 to 1,500 of the estimated 800,000 to 1 million mostly small businesses — international customers of companies that use its software to manage IT infrastructure - were affected by the attack.
The statement was widely reported after the White House shared it with media outlets.
However, cybersecurity experts said it was too early for Kaseya to know the true impact of Friday’s attack, especially since it was launched by the Russia-linked REvil gang on the eve of the U.S. Fourth of July holiday and many targets may only be discovering it on returning to work Tuesday.
Most of the more than 60 Kaseya customers that company spokeswoman Dana Liedholm said were affected in an email Sunday are managed service providers (MSPs) who have multiple customers downstream.
“Given the relationship between Kaseya and MSPs, it’s not clear how Kaseya would know the number of victims impacted. There is no way the numbers are as low as Kaseya is claiming though,” said Jake Williams, chief technical officer of the cybersecurity firm BreachQuest.
The hacked Kaseya tool, VSA, remotely maintains customer networks, automating security and other software updates. Essentially, a tool designed to protect networks from malware was cleverly used to distribute it.
“It’s too soon to tell, since this entire incident is still under investigation,” said the cybersecurity firm Sophos, which has been tracking the incident closely. It and other cybersecurity outfits questioned whether Kaseya had visibility into crippled managed service providers.
In an interview with The Associated Press on Sunday, Kaseya CEO Fred Voccola estimated the number of victims in “the low thousands.” The German news agency dpa reported earlier Sunday an unnamed German IT services company told authorities several thousand of its customers were compromised. Also among reported victims were two Dutch IT services companies.
A broad array of businesses and public agencies were hit by the latest attack, apparently on all continents, including in financial services, travel and leisure and the public sector — though few large companies, Sophos said.
Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up. Most ransomware victims don’t publicly report attacks or disclose if they’ve paid ransoms.
President Joe Biden said Saturday that he ordered a “deep dive” by U.S. intelligence into the attack and that the U.S. would respond if it determines the Kremlin is involved.