Skip to Content

Kronos Workforce Ransomware Attack

In December of 2021, Kronos was attacked by ransomware.  If you are not familiar with the company, Kronos is one of the largest Human Resources companies in the world, which means they have many, many clients that depend on their services.  One thing they are known for in particular is payroll systems.

As a result of this, many companies were not able to process payroll for their employees, which caused many issues.  Some of the impacted companies were PepsiCo, Whole Foods, and the New York Metropolitan Transit Authority (MTA).

Let’s take a closer look at this ransomware incident and the impact it had.

How Kronos Was Attacked

Kronos operates its software in its own private cloud, which was compromised by ransomware at some point.  It is unknown exactly when or how threat actors got access to Kronos Private Cloud.

One thing to think about is although an environment may be compromised, there is often a time period where threat actors explore the environment, and look for the most sensitive data to extort.

They also learn the systems so they can make sure when they do activate the ransomware, they cause the maximum amount of damage possible.

Kronos was not very forthcoming with details about the attack, but it had a widespread impact and impacted payroll for many organizations for weeks.

It may have been related to the Log4j vulnerability.

There are often two ways a post mortem works when it comes to ransomware.  Organizations are very forthcoming and say exactly what happened, so they can warn others, or they are very tight lipped.

This is one of the latter cases where there are not many details available.

How long did Kronos ransomware recovery take?

Kronos was able to recover from the ransomware attack in a matter of weeks, however it took much longer for a full recovery.  In the mean time, Kronos scrambled to provide solutions to their customers, like trying to provide paper paychecks.

However, this did not come without cost. Kronos had to pay a ransom in order to get their data back, which is something that many organizations are forced to do when they are attacked by ransomware.

Kronos is an especially interesting case because so many organizations depended on them to provide services to their end customers, the impact went far beyond just wreaking havoc on Kronos’ systems.  Because Kronos provides payroll services, many, many people could not be paid during the attack.

Kronos Class Action Lawsuit

In March of 2022, a class action lawsuit was filed against UKG (Ultimate Kronos Group).  The lawsuit alleges that the company allowed its customers’ data to be taken and held hostage by hackers, and that they failed to adequately protect their systems from such attacks. The case is still ongoing, but if successful it could set a precedent for companies to take proper security measures in light of cyber threats.

The Full Impact of Cyber Attacks

The Kronos attack really brings many concerns to top of mind.  Think of what Kronos provides – a Workforce Management Service.  In most organizations, this is something that is easily outsourced, since it does not provide a business advantage.  Consuming services like these allows organizations to free up staff and resources to work on their bottom line.

But what if your provider suffers a massive ransomware attack?  This isn’t something that organizations have usually considered, until now.

The full impact of a cyber attack can be far reaching, and it is important for organizations to take steps to protect themselves. This includes having proper security measures in place, such as firewalls, antivirus software, and regular patching. It also means having a plan in place for how to respond if an attack does occur.

But what happens if a third party provider is attacked, and despite your organizations preparation for ransomware, it is still impacted?

In this case, there isn’t much that can be done.  It is important for organizations to consider these attack vectors they don’t have any control of, and decide how to deal with the risk.  They may want to question third party providers on how they are preparing for cyber events.

In the case of providers such as Kronos, it is especially important to have mitigation for cyber risk since so many organizations depend on them for critical services.  The Kronos attack was widely reported in the news cycles, so it is safe to say that many were aware of it.  This also led customers to seek alternatives to Kronos, and allows competitors to more easily gain a foot hold in this space.

The Kronos ransomware attack is just one high profile example of the risks associated with cyber attacks. Organizations should take steps to protect themselves, and also consider the risk of third party providers. It is important to have a plan in place for how to respond if an attack does occur, as well as measures for mitigating the risk of such events.

Looking for more cybersecurity news? Check out these posts.