Ransomware hits HR solutions provider Kronos, locking customers out of vital services

The end of the year chaos caused by the revelation of the Log4Shell vulnerability has, for some organizations, been augmented by a ransomware attack on Ultimate Kronos Group (UKG), one of the biggest HR and workforce management solutions providers in the US.

Many organizations use Kronos for organizing workers’ schedules, tracking vacations, processing payroll and bonuses, etc.

What happened?

“As we previously communicated, late on Saturday, December 11, 2021, we became aware of unusual activity impacting UKG solutions using Kronos Private Cloud. We took immediate action to investigate and mitigate the issue, and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed,” the notice sent to impacted customers has revealed.

These solutions are currently unavailable and the company says it may take up to several weeks to restore system availability, so they urge affected customers to “evaluate and implement alternative business continuity protocols.”

The on-premise (self-hosted) installations of the aforementioned solutions are not affected by the attack, and neither are UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, because they are not housed in the Kronos Private Cloud.

“We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities. The investigation remains ongoing, as we work to determine the nature and scope of the incident,” the company added.

It is still unknown whether the attackers were able to steal customer data before encrypting it. Customers are, manifestly, not happy with the lack of information and the situation – they were counting on Kronos to have backups and be able to restore the data and services quickly.

As a side note: the company has also put a prominent notice on the community section of the website saying that they are aware of the recent vulnerability in the log4j library.

“We have preventative controls in our environments to detect and prevent exploitation attempts. We have invoked emergency patching processes to identify and upgrade impacted versions of log4j. We are aware of the widespread usage of log4j in the software industry, and are actively monitoring our software supply chain for any advisories of 3rd party software that may be impacted by this vulnerability,” they noted, but did not say whether the vulnerability has been exploited in the attack.

What now?

“This ransomware attack is a reminder of the challenges your third parties routinely encounter – and when it’s their problem, it’s your problem, even though you are the customer,” says Ben Smith, Field CTO at NetWitness.

“Whether your workforce management solution is hosted in-house, or externally delivered from the cloud, if you have determined that solution is mission-critical for your day-to-day operations, you need to include scenarios just like this ransomware attack as part of your broader business continuity (BC) planning. What’s your backup plan if that platform is suddenly unavailable? Do you have alternate processes in place you can spin up temporarily while your vendor gets back on its feet? Even if this means some possibly painful manual work for you and your team, it’s better to have those processes and procedures ready to go, versus not having that backup plan at all.”

James Shank, Sr. Security Evangelist and Chief Architect, Community Services at Team Cymru, noted that having payroll, time, and attendance interrupted by ransomware during this time of year is terrible.

“The Kronos/UKG ransomware event will add to the end of year stress for many of their clients. Ransomware is about extortion, and in this case, the impact and timing makes this a huge issue for UKG. This could create nightmare time tracking, scheduling, and payroll processing scenarios. It could not come at a worse time of year,” he said, but noted that with the log4j vulnerability impacting many Internet facing systems, Kronos/UKG may be old news soon.

“There are already reports of a variety of actors using the log4j exploit. Microsoft has already seen a common precursor to ransomware, Cobalt Strike, landing on log4j exploited systems. It won’t be long before we hear of ransomware events tied to log4j as the initial vector.”