Christmas pay for police, nurses at risk after Kronos hit by ransomware

Company has 40 million users. "Secure" Private Cloud breached.

This article was updaated December 29, 2021. For further updates from January 2022 we have an article here. Don't forget to follow The Stack on LinkedIn too to stay up-to-speed with our reporting.

One of the world’s biggest workforce management software companies, Kronos, has been hit by ransomware in an attack that has left multiple public and private sector customers reliant on its software reeling.

The hack looks likely to leave thousands, including nurses, without critical paychecks ahead of Christmas.

Multiple Kronos software platforms used by millions have been unavailable since December 11.

Users reliant on Kronos apps to check pay, rotas, or request paid leave are unable to do so.  Confusion, stress and panic appear rife among users unaware of why Kronos applications like its "UKG Workforce Central" (which has over a million downloads on Google Play Store) are simply returning a note saying "unable to contact server".

Enterprise customers include major multinational banks, hotels and more.

Data centres in the US, Frankfurt, and Amsterdam were hit in the attack, the company said.

Kronos hack: Customers urged to activate continuity plans

“It may take up to several weeks to fully restore system availability, customers will likely need to activate their own business continuity plans and use… manual or semi-automated actions and workarounds to ensure employee time is accurately captured, schedules are created, and payrolls can be processed” Kronos said Dec. 19.

It is rolling out a "macro-driven Excel file that presents the punch data and hours" on December 21.

Kronos (now known as “UKG” after a $22 billion merger with Ultimate Software in 2020) has 12,000 employees and revenues of $3 billion annually. Four of its core applications are now unavailable to customers after the "private cloud" IT environment in which they run was breached and then locked with ransomware December 11.

UPDATED December 26 as Kronos said:

  • "We have made significant progress and were able to restore our foundational "core services" layer. We now have access to all back-up data and all production environments.
  • "We have begun to validate the integrity of our customers' production and back-up databases.
  • "We have begun a pilot to test bringing back customer systems. This pilot program will provide visibility to our end-to-end processes and help us identify the potential exceptions that will occur.
  • "As we bring these initial systems back, we will have a better idea as to the pace of the recovery for all other systems. The Kronos Private Cloud houses thousands of customers and each customer's environment needs to be addressed individually. We will not have visibility to the pace of how soon we can bring customers back online until we do the required work during this upcoming week."

Follow The Stack on LinkedIn for more

The company claimed at the time of its merger that “tens of thousands of organizations – including half of the Fortune 1000 – and more than 40 million people in over 100 countries use Kronos every day."

In an updated statement about the Kronos hack on December 19, UKG said: “On December 11, 2021, we became aware of unauthorized activity impacting UKG solutions using Kronos Private Cloud... and have determined that this is a ransomware incident affecting the Kronos Private Cloud -- the environment where some of our UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed.”

The company added: “We deeply regret the impact this is having on customers.”

The company has notified the UK's ICO and Commission de la protection des données (APD) in Belgium of a possible data breach. It has yet to explicitly confirm what data if any has been compromised.

A technical whitepaper for the affected Kronos Private Cloud promises "the highest availability of critical IT assets" along with "daily incremental backups of customer applications and data. All database backups are replicated via secure transmissions to a secondary UKG Private Cloud environment in an alternate data center." It's possible that backups were also hit: attackers frequently target them.

Amid discontent at perceived poor comms by the company, one customer noted: "We are blocking/disabling all ADFS and LDAP connections to UKG/Kronos Cloud until they have a better handle on what they have. At this point they are an untrusted entity and will be treated as such. There is no good they can do us at this time."

Kronos ransomware attack: what we know

https://twitter.com/CandidCIO/status/1472674318525947905

Based on our ongoing investigation, this incident appears limited only [sic] to the following hosted solutions in the Kronos Private Cloud” said UKG. The software platforms now unavailable to customers are:

  • UKG Workforce Central -- A workforce hub that the company describes as for employees to "punch in/out for work, check their schedules, time off, benefits, and pay. Managers can take care of exceptions as they come up, ensure staffing and schedules are good to go, take action on time off requests, and other and other key needs."
  • UKG TeleStaff -- An automated staff scheduling solution "designed to manage complex public safety workforce rules" that is widely used by law enforcement, fire services, prison officers and more.
  • Healthcare Extensions -- A similar platform but for medical staff
  • UKG Scheduling/Workforce Management for Banks (formerly called FMSI/Kronos for Banking Solutions) -- Which the company describes as "data-driven branch staff scheduling for banks."

The company added: “At this time, we believe that instances of these solutions deployed in on-premise/self-hosted environments are not affected. We recognize customers often deploy a combination of UKG solutions, such as UKG Dimensions with TeleStaff, etc. It is important to note that, in these deployments, the portion of the solution deployed in Kronos Private Cloud will not be available.”

Among the many people affected were public sector workers for the local authority in Prince George's County -- a county in the US's Maryland  that like many others, now can't access data on who worked where and when.

As reported by NBC Washington: "It's like the Grinch that stole Christmas,” said Jason Carter, a union representative for health department workers. He said union members may not get thousands of dollars in hazard backpay before Christmas, adding: "“What's really sad is it's Christmas and we have... single parents... unfortunately a lot of members that are living paycheck-to-paycheck, and they were counting on this money."

(The Maryland Department of Health (MDH) meanwhile has been unable to fully report Covid-19 data for over two full weeks after a “cyber attack” that bears the hallmarks of another ransomware incident.

“MDH is experiencing a server outage. Hospitalizations data are current. Other surveillance data will be updated as soon as possible. Vaccine data is updated as of 12/19/2021” the MDH said December 19.

The incident appears to have also left third-parties unable to access state benefits data.

A December 16 report from the White House COVID-19 Team, Data Strategy and Execution Workgroup meanwhile notes that “Due to a cyber attack still under investigation, Maryland has not updated cases or deaths data since 12/05/2021” – the incident comes as the state has suffered over 11,000 Covid deaths and is reported to be “experiencing its biggest spike in hospitalizations since April” with over 1,200 hospitalised.)

The Stack understand's UKG's security function to be comparatively mature and well developed, with Ultimate Software even pre-merger having had a ~130-strong team of security professionals and SOCs in US, France and Singapore. The company had noted that it was working on patching Log4j exposure ahead of the attack. It is unclear if the breach was related to the widespread, critical vulnerability in the ubiquitous Java framework.

The company said in its Q&A: "Log4j is a Java-based logging tool that is directly embedded in popular software applications across many industries. As soon as the Log4j vulnerability was recently publicly reported, we initiated rapid patching processes across UKG and our subsidiaries, as well as active monitoring of our software supply chain for any advisories of third-party software that may be impacted by this vulnerability."

It added in an increasingly comprehensive Q&A: "We are currently investigating whether or not there is any relationship between the recent Kronos Private Cloud security incident and the Log4j vulnerability."

See also: 7 free cybersecurity tools IT staff should know