Kronos Ransomware Attack

On December 11th, 2021, Kronos announced that its application had been attacked by hackers who exploited the security protocols to gain access to the records of thousands of companies that use the Kronos application.

What happened in the Kronos attack?

In the Kronos ransomware attack, as is the case with any ransomware attack, the hackers hold the victim’s data or information as ransom until the victim pays the demanded ransom to the hackers.

Kronos (Ultimate Kronos Group or UKG) is a well-known suite of workforce management solutions that are used for various human resources (HR) functions such as monitoring employee attendance and processing payroll. As a cloud-based application, Kronos is used by companies around the globe, with its popularity stemming from its ability to be a scalable, mobile, and secure platform to manage HR functions.

Origins of Kronos ransomware  

The concept of stealing digital data and holding it as ransom is not new. Back in 1989, the PC Cyborg Virus was used as ransomware, forcing victims to pay $189 to a P.O. Box in Panama to restore access to their systems. Ransomware attacks like the Kronos ransomware attack have seen an increase as cryptocurrency has become more commonplace; attackers can easily receive their funds without any trace. As of April 2022, authorities have not been able to determine where the Kronos attack originated from and who the attackers were behind it.

Impact of the attack

The Kronos ransomware attack in 2021 resulted in several companies being unable to process paychecks or access the attendance records of their employees for several weeks. According to the company, the ransomware attack did not impact the companies that had deployed the software on-premises or that operate a self-hosted environment. 

However, as the platform had over a million users, the attack affected thousands of profiles. It also resulted in several third parties being unable to access data. For example, the White House COVID-19 team was unable to access COVID-19 case and death data from Maryland at a time when the state was going through its biggest spike in hospitalizations. One of the major impacts of the Kronos ransomware attack was that the credibility of cloud-based solutions, especially due to security and privacy concerns, was significantly compromised.

Targeted Kronos clients 

The client base of the attack included multinational banks, hospitals, hotels, and other types of companies. One of the high-profile victims of Kronos ransomware was Puma, which had the information of over 6,000 of its employees compromised as a result of the attack.

It took Kronos several weeks to determine the full impact of the ransomware attack. According to Kronos, the majority of the targets were local governments or public services, including the New York Metropolitan Transit Authority (MTA) and the City of Cleveland, which had a data breach of employee names and last four digits of social security numbers. Other victims included the Board of Water Supply of Hawaii and the Connecticut Department of Administrative Services.

How did the attack work?

Attackers targeted the Kronos Private Cloud (KPC) and stole client data to execute the ransomware attack. The Kronos public cloud hosted the Banking Scheduling Solutions, Healthcare Extensions, UKG Telestaff, and UKG Workforce Central. The stolen data was encrypted, only to be decrypted once ransom payment was made. 

The Kronos ransomware attack forced Kronos into a position where paying the ransom was the cheapest and quickest way to regain access to their stolen data. Kronos has not revealed the specifications of the attack mechanism at this time. However, ransomware attackers typically use various methods to infiltrate security protocols, such as applying compromised user credentials or spear phishing emails to gain access to enterprise software.  

How was the attack dealt with?

After the attack, the company was forced to rely on manual and semi-automated systems to deliver some functionality to compromised clients. Some clients had to use their own systems to function: one healthcare client resorted to a “clone pay period,” which paid employees based on the number of hours they worked in the last recorded attendance cycle before the attack compromised the latest attendance records.

Since the attack, the company has not disclosed the nature or amount of the ransom demanded by attackers. According to NBC Boston, Kronos did pay the ransom to get access to their systems. 

Prevention of another Kronos-style attack  

Proper preparation can help minimize the risk and impact of ransomware attacks. Businesses should invest in cyber awareness training and education for all their employees so users can identify potential phishing attempts. User education can be a key defense against ransomware attacks as hackers often rely on users clicking on malicious links to gain access to the enterprise system. 

Using identity and access management (IAM) and other kinds of security software can be extremely useful for companies looking to protect themselves from ransomware and other types of cyberattacks. 

Finally, companies should also perform continuous data backups, so if any ransomware attack does happen, the impact is minimized. Attackers often look at the latest vulnerabilities in the system, so patching security protocols with the latest updates is vital to the prevention of ransomware attacks.

Ali Azhar
Ali Azhar
Ali is a professional writer with diverse experience in content writing, technical writing, social media posts, SEO/SEM website optimization, and other types of projects. Ali has a background in engineering, allowing him to use his analytical skills and attention to detail for his writing projects.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles

Virtual Private Network (VPN)

A virtual private network (VPN) encrypts a device's Internet access through a secure server. It is most frequently used for remote employees accessing a...

Gantt Chart

A Gantt chart is a type of bar chart that illustrates a project schedule and shows the dependency between tasks and the current schedule...

Input Sanitization

Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and...

IT Asset Management Software

IT asset management software (ITAM software) is an application for organizing, recording, and tracking all of an organization s hardware and software assets throughout...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...