Table of Contents
    Home / Definitions / Kronos Ransomware Attack
    Definitions 5 min read

    On December 11th, 2021, Kronos announced that its application had been attacked by hackers who exploited the security protocols to gain access to the records of thousands of companies that use the Kronos application.

    What happened in the Kronos attack?

    In the Kronos ransomware attack, as is the case with any ransomware attack, the hackers hold the victim’s data or information as ransom until the victim pays the demanded ransom to the hackers.

    Kronos (Ultimate Kronos Group or UKG) is a well-known suite of workforce management solutions that are used for various human resources (HR) functions such as monitoring employee attendance and processing payroll. As a cloud-based application, Kronos is used by companies around the globe, with its popularity stemming from its ability to be a scalable, mobile, and secure platform to manage HR functions.

    Origins of Kronos ransomware  

    The concept of stealing digital data and holding it as ransom is not new. Back in 1989, the PC Cyborg Virus was used as ransomware, forcing victims to pay $189 to a P.O. Box in Panama to restore access to their systems. Ransomware attacks like the Kronos ransomware attack have seen an increase as cryptocurrency has become more commonplace; attackers can easily receive their funds without any trace. As of April 2022, authorities have not been able to determine where the Kronos attack originated from and who the attackers were behind it.

    Impact of the attack

    The Kronos ransomware attack in 2021 resulted in several companies being unable to process paychecks or access the attendance records of their employees for several weeks. According to the company, the ransomware attack did not impact the companies that had deployed the software on-premises or that operate a self-hosted environment. 

    However, as the platform had over a million users, the attack affected thousands of profiles. It also resulted in several third parties being unable to access data. For example, the White House COVID-19 team was unable to access COVID-19 case and death data from Maryland at a time when the state was going through its biggest spike in hospitalizations. One of the major impacts of the Kronos ransomware attack was that the credibility of cloud-based solutions, especially due to security and privacy concerns, was significantly compromised.

    Targeted Kronos clients 

    The client base of the attack included multinational banks, hospitals, hotels, and other types of companies. One of the high-profile victims of Kronos ransomware was Puma, which had the information of over 6,000 of its employees compromised as a result of the attack.

    It took Kronos several weeks to determine the full impact of the ransomware attack. According to Kronos, the majority of the targets were local governments or public services, including the New York Metropolitan Transit Authority (MTA) and the City of Cleveland, which had a data breach of employee names and last four digits of social security numbers. Other victims included the Board of Water Supply of Hawaii and the Connecticut Department of Administrative Services.

    How did the attack work?

    Attackers targeted the Kronos Private Cloud (KPC) and stole client data to execute the ransomware attack. The Kronos public cloud hosted the Banking Scheduling Solutions, Healthcare Extensions, UKG Telestaff, and UKG Workforce Central. The stolen data was encrypted, only to be decrypted once ransom payment was made. 

    The Kronos ransomware attack forced Kronos into a position where paying the ransom was the cheapest and quickest way to regain access to their stolen data. Kronos has not revealed the specifications of the attack mechanism at this time. However, ransomware attackers typically use various methods to infiltrate security protocols, such as applying compromised user credentials or spear phishing emails to gain access to enterprise software.  

    How was the attack dealt with?

    After the attack, the company was forced to rely on manual and semi-automated systems to deliver some functionality to compromised clients. Some clients had to use their own systems to function: one healthcare client resorted to a “clone pay period,” which paid employees based on the number of hours they worked in the last recorded attendance cycle before the attack compromised the latest attendance records.

    Since the attack, the company has not disclosed the nature or amount of the ransom demanded by attackers. According to NBC Boston, Kronos did pay the ransom to get access to their systems. 

    Prevention of another Kronos-style attack  

    Proper preparation can help minimize the risk and impact of ransomware attacks. Businesses should invest in cyber awareness training and education for all their employees so users can identify potential phishing attempts. User education can be a key defense against ransomware attacks as hackers often rely on users clicking on malicious links to gain access to the enterprise system. 

    Using identity and access management (IAM) and other kinds of security software can be extremely useful for companies looking to protect themselves from ransomware and other types of cyberattacks. 

    Finally, companies should also perform continuous data backups, so if any ransomware attack does happen, the impact is minimized. Attackers often look at the latest vulnerabilities in the system, so patching security protocols with the latest updates is vital to the prevention of ransomware attacks.