Kronos ransomware attack: The nightmare that could hit paychecks right before Christmas

Kronos, a multinational workforce management platform, has been hit by a ransomware attack that the company said could force its system offline for several weeks.

According to parent company Ultimate Kronos Group (UKG), the attack disrupted Kronos Private Cloud solutions, which stores data for UKG Workforce Central, UKG?TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions. Workforce Central is the software that employees use to schedule shifts, log absences, and clock in and out of work. UKG said it became aware of the incident after detecting “unusual activity” on Saturday, and began taking steps to “investigate and mitigate” it. It has since enlisted top cybersecurity experts to resolve the situation, but warned that its software could stay down for a while.

Unfortunately, Kronos boasts a ledger of big-name clients including Tesla, MGM Resorts International, Puma, Sainsbury’s, the YMCA, and the city of Denver. The information-tech-focused website ZDNet reported that multiple companies were unable to process payrolls as of Monday, and other sources said the outage could cause them to miss paychecks leading up to their holiday breaks.

New York’s Metropolitan Transportation Authority, another Kronos client, also revealed Monday that its payroll and shift-keeping systems were inaccessible. Clients were encouraged by Kronos to “implement alternative business continuity protocols” in the meantime. However, those clients also include some small businesses without contingencies in place, which are ill-equipped to rustle up a contract on such short notice.

But if that wasn’t bad enough, the attack may also have compromised personal information. The city of Cleveland, yet another Kronos client, told local news station WKYC that it received an alert from UKG that some employees’ names, addresses, and last four Social Security digits could have been stolen. UKG said its investigation is still ongoing.

The cloud provider has not said which ransomware group was behind the attack, but some analysts speculate it’s linked to the Log4Shell flaw, which was discovered last week exploited in Minecraft servers, and is already being described as one of the most serious threats ever seen. Found within Log4J, an open-source Java-based logging framework, it’s a zero-day vulnerability—meaning it’s been disclosed but not patched—that lets malicious actors, even those with low skill sets, run virtually any code in the wild. Most troubling, Log4J is ubiquitous, used by massive internet companies like Amazon, Cloudflare, Steam, Twitter, and Baidu. Hopefully, they’re all hustling to engineer fixes before it’s too late.

If not, the consequences could be dire. In 2017, a similar vulnerability was exploited to breach consumer credit agency Equifax, compromising data from more than 100 million customers. Equifax has since been ordered to pay $77.5 million to those affected in a class action lawsuit.