Devastating Kronos ransomware attack leaves companies scrambling to ensure employees are paid

Kronos is a payroll and time-sheet software provider, and a subsidiary of Ultimate Kronos Group. A ransomware attack has forced its systems offline.  

The company has said “While we are working diligently, our Kronos Private Cloud solutions are currently unavailable. Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business continuity protocols related to the affected UKG solutions”. 

Kronos has a widespread customer base, including Tesla Inc., MGM Resorts International, and New York City’s Metropolitan Transportation Authority. The company has not announced which of their clients have been affected and the full extent of the damages from the attack is yet to be determined. 

A statement from UKG has informed customers of the issue and says “We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities. The investigation remains ongoing, as we work to determine the nature and scope of the incident”.  

No personal data for employees of companies using Kronos will have been gained as the company is only provided with employee numbers and hours worked. However, Kronos customers are left looking for alternative ways to ensure their employees are paid correctly during the festive period. 

Kronos have declined to say if the hack has come as a result of a Log4Shell exploit, but given the services rely heavily on Java, there is a high possibility it has. The Log4Shell vulnerability is trivial to exploit and gives hackers the ability to execute malicious code with elevated system privileges. The vulnerability is currently wreaking havoc on businesses and websites around the globe. 

Whilst Kronos has not acknowledged whether the ransomware attack is related to the Log4Shell vulnerability, a banner notice at the top of each of their updates related to the attack reads: “We are aware of the log4j vulnerability reported as CVE-2021-44228. We have preventative controls in our environment to detect and prevent exploitation attempts. We have invoked emergency patching processes to identify and upgrade impacted versions of log4j. We are aware of the widespread usage of log4j in the software industry and are actively monitoring our software supply chain for any advisories of 3rd party software that may be impacted by this vulnerability”. 

Regardless of the cause, the Kronos ransomware attack has left many companies scrambling to find an alternative payroll solution to ensure employees are paid in time for Christmas.