Kronos ransomware attack: Systems may be offline for weeks

A ransomware attack on Ultimate Kronos Group may keep its systems offline for weeks. The attack has affected only customers who use the Kronos Private Cloud.

“We took immediate action to investigate and mitigate the issue, have alerted our affected customers and informed the authorities, and are working with leading cybersecurity experts,” a company spokesperson told NPR. “We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services.”

Dozens of companies and governmental organizations announced this week that they had been affected by the attack, a number that falls far short of its likely impact, given the widespread use of Kronos. The hack included scheduling products specifically designed for health care systems, financial institutions and public safety workers.

The extent to which the attack affects individual employees depends on how their employers used the software. Employers who use Kronos to clock employees in and out of shifts may ask workers to manually track start and end times, while companies that rely on Kronos to issue paychecks may send out paper checks while the service is down. Employers also may choose to issue generic paychecks that compensate employees for a baseline number of scheduled hours rather than the actual hours worked and later issue corrections as needed.

In statements to employees, several companies said that they believed the most sensitive personal data, including Social Security numbers, had not been breached, but the city of Cleveland warned employees that the last four digits of Social Security numbers could be at risk.

The service could be out for several weeks, according to a blog post by Bob Hughes, the company’s chief customer and strategy officer. Because the fix could take long enough to affect payroll and scheduling operations, the company urged employers to seek “alternative business continuity protocols” while they work on a fix.

As of Tuesday, it was not clear how the attackers were able to knock the software offline. The incident comes on the heels of revelations about a major vulnerability in a piece of software called Log4j that frequently is used with the programming language Java.

“It is likely the attacker had been in Kronos for weeks launching the attack before Log4J was reported,” said Allan Liska, an intelligence analyst at the cybersecurity firm Recorded Future. “That doesn’t mean the two aren’t connected. But the best evidence right now says otherwise.”

Attorneys with Sherman & Howard LLC, offered up five actions employers affected by the outage should take:

1. Direct nonexempt employees to use paper timecards.
2. Reconstruct lost timecards and attendance records from the current pay period.
3. Figure out how to issue paychecks before the upcoming pay day.
4. Address open enrollment.
5. Determine whether employee data was compromised.