Kronos Ransomware Outage Drives Widespread Payroll Chaos

Kronos, the workforce-management provider, said a weeks-long outage of its cloud services is in the offing, just in time to hamstring end-of-year HR activities like bonuses and vacation tracking.

Kronos, the workforce management platform, has been hit with a ransomware attack that it says will leave its cloud-based services unavailable for several weeks – and it’s suggesting that customers seek other ways to get payroll and other HR tasks accomplished.

The outage has left cataclysmic issues for customers in its wake.

Kronos offers a range of solutions for employee scheduling, compensation management, payroll and hours worked, benefits administration, time-off management, talent acquisition, onboarding, and more. It counts some of the largest companies in the world as its customers, such as Tesla and Puma, along with various health, public sector and university customers; organizations like the YMCA; and smaller businesses like restaurants and retailers.

Infosec Insiders Newsletter

In a message to Kronos Private Cloud (KPC) customers late afternoon on Sunday, the company said that several solutions were knocked offline starting Saturday: UKG Workforce Central, UKG TeleStaff, Healthcare Extensions and Banking Scheduling Solutions.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” the company said in the notice – a timeline that it expanded to likely taking several weeks in a Monday update. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

On-premise deployments are not affected, and neither are the UKG Pro, UKG Dimensions or UKG Ready offerings, it added.

“We recognize the importance of these solutions to your organization,” the company said. “We have actively mobilized all resources at our disposal to address this issue.”

Chaos for Customers

Further details over the weekend were not forthcoming, much to the chagrin of customers.

“This tells us nothing,” one comment reads on the notice page. “Is our data still there? What happened? Why the secrecy?”

Nick Tausek, security solutions architect at Swimlane, noted that the initial access vector is also unknown.

“Although Kronos Private Cloud was secured by firewalls, encrypted transmissions and multi-factor authentication, cybercriminals were still able to breach and encrypt its servers,” he said via email. “While it’s unclear exactly how the breach took place, Kronos predicts that their Private Cloud solutions will be unavailable for a number of weeks. This extended shutdown will likely present challenges for many organizations as they seek to roll out bonuses and employees look to request time off ahead of the holidays.”

And indeed, multiple customers left comments that speak to the chaos the outage is creating within their organizations, with some noting that an ongoing, extended disruption of service is unacceptable in their view.

“That simply cannot happen,” wrote Dave from the Tacoma, Wash., Fire Department, expressing disbelief that a company this large doesn’t seem to have contingency plans in place. “We must have access to rosters for today and coming days – now. Any halfway decent IT application hosting company would have disaster recovery plans for any worst-case-scenario. Running fire and police departments, this data can literally be a matter of life and death for the public and for our people. Yes, I am frustrated and angry that we don’t know what is happening.”

Another noted, “We have 50,000 employees and it’s not easy to manage without a timekeeping system. Very disappointed to say the least…This is absurd and we customers should be told what’s happening.”

Yet another: “We need to get this corrected ASAP. We don’t even know who will be working tomorrow and where. Does anyone have a good back up for if this ever happens again?”

And one resorted to dealmaking: “At this point I don’t even care for a task manager, fancy functions, callback list or picklist…Just give me a plain roster view for five days,” the person wrote. “Let me know who’s working and I’ll pick up a phone start crossing out the sick call out and making phone calls to back fill…I believe with this we can manage while you guys figure out the fix…Public safety in many counties and municipals across the U.S. is basically blind right now.”

A Ransomware Incident

Some customers floated the possibility that Kronos’ data centers are compromised by the Log4Shell vulnerability that’s wreaking havoc across the internet, but Bob Hughes, executive vice president at Kronos, clarified in a Monday update that the issue is a “ransomware incident” and that it was still assessing the scope of the damage and what impact the cyberattack had on its systems and data.

“Given that it may take up to several weeks to restore system availability, we strongly recommend that you evaluate and implement alternative business-continuity protocols related to the affected UKG solutions,” he added.

Erich Kron, security awareness advocate at KnowBe4, noted that the timing of this attack, at the close of the year while organizations are managing not only basic payroll, but also bonuses and other annual calculations that need to take place, is no coincidence.

“Ransomware gangs often time attacks to take place when organizations are short-staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower,” he said via email. “In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly.”

Customers again reacted with concern.

“We are blocking/disabling all ADFS and LDAP connections to UKG/Kronos Cloud until they have a better handle on what they have,” said one. “At this point they are an untrusted entity and will be treated as such. There is no good they can do us at this time.”

Several expressed worries as to the safety of their data housed in the Kronos cloud, and at least one customer has questions about the company’s backups.

“Where are the backups, can’t the backups be restored?” the person said. “Are the backups stored in the same ‘cloud/space’ as production, that doesn’t make sense?”

The situation shows that organizations must actively prepare for ransomware, Kron said.

“This attack drives home the need to not only have, but also to practice, disaster-recovery and continuity-of-operations plans that can be enacted quickly and efficiently,” he said. “The more heavily reliant organizations are on technical services, even those in the cloud, the more important it becomes to have a plan to operate without these services, even for a short time.”

He added, “Unfortunately, the Grinch has impacted Christmas for a lot of people using the KPC services. Hopefully, this does not result in a subscription to the ‘Jelly of the Month Club’ in lieu of the annual bonuses.”

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles