What was the Kronos ransomware attack, and how did it happen?

The Kronos cyberattack was a high-profile ransomware attack that affected the Kronos Private Cloud in December 2021.

As part of Ultimate Kronos Group (UKG), Kronos Private Cloud is a feature of the company’s workforce and human resources management software. Large companies like MGM Resorts, Samsung, PepsiCo, Whole Foods, Gap, and Tesla utilized the software when the breach occurred. The attack also affected some government entities like the New York Metropolitan Transit Authority and the cities of Springfield, Massachusetts, and Cleveland.

The Kronos data breach affected more than 8,000 institutions, including numerous hospitals. It prevented businesses from using their payroll systems and accessing employee attendance records.

The hackers used ransomware to target the Kronos Private Cloud. Their goal was to steal client data and get a payout from UKG for the data to be returned, which the company complied with.

The Kronos ransomware attack of 2021 could well be linked to the earlier Kronos banking trojan. Initially reported in 2014, this banking malware would steal login credentials by targeting browser sessions using a combination of:

• Web injection: Changing the user’s web page content.
• Keylogging: Logging and sending a keyboard’s input signals to a malicious actor without the user’s knowledge.

UKG never revealed the attack mechanism used in the breach, so we don’t really know how it worked.

In most cases, ransomware attackers use spear phishing emails to trick employees into installing information-stealing malware. This allows hackers to gain access to user credentials and to steal sensitive data.

So, it’s likely that the hackers used phishing or other means to compromise user credentials and steal sensitive data from UKG. Then, they encrypted the data and asked for a ransom, which is the purpose of most ransomware attacks. The encrypted data couldn’t be cracked without the right tools, which were only available to hackers.

Only after the company made the required payment did the hackers decrypt the data. UKG managed to regain access to all the affected data but didn’t disclose how much it had to pay.

Some sources note the attack may have stemmed from the Log4Shell zero-day vulnerability. This vulnerability in Log4j, a Java logging framework, has existed since 2013, but experts only discovered it in November 2021. They resolved the issue in early December of the same year, a few days before Kronos reported the breach. Meanwhile, UKG stated that there’s no evidence to support these claims.

There was never a proper Kronos ransomware attack update beyond the class action lawsuit that followed. Many healthcare providers experienced problems with workforce management for months. Therefore, they decided to take legal action against UKG. The owner of the Kronos Private Cloud eventually agreed to pay a $6 million settlement.

UKG hasn’t been very forthcoming with the Kronos ransomware attack details. In this respect, it is similar to what most other companies have done before and after a breach.

Everything started on December 11, 2021, when UKG released a statement saying that it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud.”

The Kronos Private Cloud housed solutions for UKG’s clients, and the Kronos security breach exposed over 2,000 businesses. UKG started working on restoring its services and assisting its clients in handling the issue.

The affected customers were in distress because they couldn’t process payrolls or organize employee data timesheets. The Kronos outage became an even bigger problem with the holiday season fast approaching since many employees were due for holiday pay and bonuses.

Most of the affected businesses had to rely on manual solutions to pay out salaries. Once the services came back online, they also had to enter that data into the system and reconcile records.

The Kronos hack forced businesses to spend a lot of time and money to solve these problems. The attack hurt these organizations, the UKG workforce and company, and most of all, the employees in affected companies using UKG’s services.

All of this goes to show how ransomware and other cybersecurity attacks can lead to third-party risks. In other words, your company or any other business may suffer the same fate, even if your company’s cybersecurity seems top-notch.

This particular ransomware attack may have targeted the Ultimate Kronos Group, but a similar one could happen to any other business, including yours.

Besides maintaining good cybersecurity habits, you also need to:

• Prepare an incident response plan. The plan needs to specify the steps your company will take in the case of a cybersecurity incident. It should outline the protocols you need to respect, like informing your managed service provider or IT security team of the breach. You should also check that your vendors have them as well to mitigate third-party risk.
• Invest in employee training on cybersecurity and cyber awareness. Proper employee education can help prevent ransomware and many other cyber attacks. Employees should learn to recognize phishing attempts and take appropriate precautions.

Prevention is crucial, but you need to take extra third-party risk management steps to protect your business:

• Assess risks from third parties. To avoid being affected by ransomware plaguing your vendor, like the ransomware attack on Kronos, you need to ascertain the possible damage it can cause your business. See which applications are connected to the third party and the damage your critical operations can suffer as a result.
• Rank third parties based on risk. It’s vital to categorize vendors based on their importance to your business. Make sure to understand the implications of a breach.
• Analyze the third-party protection level. Try to determine the security protocols each external company keeps and the systems they have in place.
• Include data breach notification requirements in contracts with vendors. You want the third party to notify you as soon as they suffer a breach, which is why notification timeframes should be documented. Put these terms and conditions in the contracts you sign with your vendors.

To avoid becoming the subject of a breach like the Kronos attack, you should also:

• Invest in threat protection solutions. Solutions like NordVPN’s Threat Protection defend your devices from various cyber threats by scanning the files you download for malware.
• Create a strong password. An effective password has always been crucial for online protection. If your systems have proper protection, they’ll be harder to breach by outsiders.
• Set up multi-factor authentication. MFA is a bonus security step to stay protected from outside malicious actions. It’s an added security layer on top of passwords, making it much harder for attackers to breach your security.