Kronos Ransomware Update 2022

Kronos Ransomware Update 2022

Today, there is an update to the Kronos Ransomware attack. Now, if you remember, Kronos was hit with a ransomware attack, and unfortunately, they've been down ever since, and they're still not back up yet. This is going to be an update as to why that is and what is going on and what this could mean for Kronos and the hundreds of thousands of... or hundreds. Maybe, say thousands of businesses. Thousands of businesses that use their services, so let's get into it.

"Hackers disrupt payroll for thousands of employers, including hospitals" which was taking from an article on This article is just a couple days old and I was written on the 15th. Today's the 17th of January 2022.  Going into the article, it reads that "A month old ransom attack is still causing administrative chaos for millions of people, including 20,000 public transit workers in the New York City Metro area. Public service workers in Cleveland, employees of FedEx and Whole Foods, medical workers across the country who were already dealing with Omicron surge that has filled hospitals and exacerbated worker shortages. In the weeks since the attack knocked out Kronos' private cloud, a service that includes some of the nation's most popular workforce management software, employees from Montana to Florida have reported paychecks short by hundreds or thousands of dollars. Their employers have struggled to manage schedules and track hours without the help of the Kronos software."

So, this is a supply chain type of attack that affected many, many types of business. We saw two in December, January with Kronos and another company called Schedulefly that did this with restaurants. They provided scheduling and basically employee management for restaurants and it takes these businesses out. It makes it really hard for these businesses that rely on these cloud services to operate. Also, this is exactly why cyber security experts discuss this too sure that when you move to the cloud, that you have a backup and you have a way to operate should these services go away or should your internet access go away and you can't access these services. Because what's one required thing to work with the cloud and things in the cloud? The internet, you have to have it.

It becomes pretty critical when you make these decisions to move this stuff into the internet or into the cloud. Meanwhile, the other interesting thing that this article points out is that, "The additional burden won't end once Kronos is back. Finance and human resources departments around the country face weeks of additional work, bringing the manual records they've collected over a month or more back into the Kronos system." So if you remember Kronos said to their customers go seek alternatives. Now, a lot of people took that to meant go find another payroll provider, which I'm sure a lot of people have at this point. But it really meant go to paper. Go to paper, write paper checks, record things manually until we get the systems back up and running.

Now, many cybersecurity experts didn’t think that Kronos knew that these systems would take this long to get back up and running. So now all these companies are going to have to spend tons of... Put a lot of effort into getting this stuff back up. This is nothing new. This is normal stuff that many experts see in incident response that you should be covering in your incident response planning. Had they done proper incident response planning, they would've identified these things and they would've recognized. This is both Kronos and Kronos' customers. Xact IT thinks Kronos is giving really bad advice here and this is a concern within their response. It doesn't look like a very well thought out incident response plan which seems like what is happening here.

Another interesting part of this is, is that, "Thousands of employers that rely on Kronos that were knocked offline, including some of the nation's largest private employers, FedEx Pepsi, Whole Foods," blah, blah, blah. "About 8 million total employees are affected by the outage." They are ramping up to sue this company. Lawsuits are coming and the idea here is, is that people are going to get sued. People are going to lose jobs. Heads are going to roll when things like this go down and unfortunately these guys are going to really, really have to deal with a lot of lawsuits.

Not surprised if it goes class action at some point, because people want to get compensated for the amount of effort that they're going to have to dedicate to this cleanup of records that apparently Kronos has aided in creating a huge mess. The other problem is the Kronos attack backup access targeted amid cold storage overhaul vow. Wow.

"The attackers have crippled a widely used application from global HR software company Kronos, disabled the company's ability to communicate with our backup environments. Owners, UKG have confirmed as the company continues to work on restoring customer data after regaining access to its backups." So the bottom line is, is that the data was exfiltrated from this article and then they cut off their access to their backups and they didn't have any cold storage. They didn't have any way to get to it other than through the internet.

So, it could have been that Kronos just had a VPN set up where they had a secure connection to their backups and the cyber criminals were able to find this and then delete the connection and maybe delete the keys. Maybe, another thing that happened is that Kronos didn't have good enough records so they could reestablish that connection or they just disabled something on the environment that made it really difficult for cybercriminals to get into.

At the end of the day, Kronos really didn't do a good job from a disaster recovery planning incident response standpoint, because you have single points of failure, you really want to air gap your backups as much as they can. You don't want to be able to allow people to access them, be able to cut off your access to them. You really want to keep that tight, keep it separate, make sure that people can't access your things from the main network of your company, or if they get on a machine, they shouldn't be able to get to the main network and the backups or get to the configuration or any of this stuff.

Again, poor planning all around by Kronos. Not great news that's coming out. We're learning a lot from this and we're learning how poor cybersecurity is at a very large Fortune 500 company. Business owners, CEOs at big companies or Fortune 500 companies think they’re all good. They think they have the best of the best and cyber experts then go in and they evaluate these companies all the time and see that they aren’t good.

When experts come in and assess these companies, they notice they’re not doing enough. They're not following a framework or they're not following the complete framework and everything that you need to do in order to be cyber resilient and withstand these attacks and these things that cyber criminals are doing. Altogether, many people know little about this Kronos attack, but there's enough things out there in the news where you can go, hmm, that didn't meet the controls of a framework and that didn't meet this and that didn't meet that. By this time, you now have four or five of these things in place, you're just making it easy for the cyber criminals.

They only need just a few, a handful of things to not be in place for them to be able to get as far in your network and deploy ransomware. Cyber experts see it all the time. The cyber experts see things like this that happen where companies just don't do enough and then they end up in the network. Then, few days later, they end up deploying out ransomware.

Just a quick update for the Kronos ransomware attack here in 2022, it's been ongoing for about a month. Clients are still without their HR and payroll management system that they get through Kronos. Who knows when they'll be back up? Also, a lot of companies are getting annoyed and they're getting ready to file lawsuits, which I'm sure will happen because they just have to put in an extraordinary amount of effort on their end to make things right for their business and not tick off employees. Employees want to get paid and they want their paycheck to be right when it shows up in their bank account or gets handed to them.