A “colossal and devastating” ransomware attack is thought to have paralysed the networks of at least 200 US companies.
The federal Cybersecurity and Infrastructure Security Agency has said it is closely monitoring the situation and is working with the FBI to collect more information about the impact of the attack.
John Hammond of the security firm Huntress Labs said the REvil gang, a major Russian-speaking ransomware syndicate, appears to be responsible for the attack.
REvil steals data from its targets before activating the ransomware to strengthen its extortion efforts.
Mr Hammond said the criminals targeted a software supplier called Kaseya, using its network management as a way to spread the ransomware through cloud-service providers.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” he said on Twitter.
“This is a colossal and devastating supply chain attack.”
More on Cyberattacks
Air India: At least 4.5 million people’s data exposed following IT system hack
Cyber attack on US government: Biden accused Trump of failing on security
Cyber space will become ‘most contested domain’, warns UK security chief
Coronavirus: Cyber Security Centre handled record number of incidents over past year
Unit 74455: Russian hackers wanted by the FBI
Coronavirus: Criminals exploiting COVID-19 pandemic with email scams
He added he was aware of four companies that host IT infrastructure for multiple customers being hit by the ransomware, which encrypts networks until the victims pay off attackers.
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” he said.
Experts believe the attack was deliberately timed to coincide with the 4 July holiday weekend, when less IT staff are traditionally on duty.
Such cyberattacks typically infiltrate widely-used software and spread malware as it updates automatically.
It is not yet clear how many Kaseya customers might be affected or who they might be.
Kaseya said the attack was limited to a “small number” of its customers and had urged them to immediately shut down servers running the affected software.
Privately-run Kaseya says it is based in Dublin and has its US headquarters in Miami.