A ransomware attack is disrupting the operations of many large companies, and some employees fear it could affect their last paycheck before the holiday – because their payroll, Kronos, is the one responsible for the ransom. The incident has led to entire cities and states trying to come up with a plan to give their employees paychecks, and could impact HR operations at organizations like the Metro Transit Authority of New York City, Honda, GameStop and more.
A Whole Foods employee said: NBC News that there is “a real fear of our paychecks this Friday”, saying employees had been “using a paper punch sheet to track our hours”.
Kronos Private Cloud is a suite of human resources software managed by a company called Ultimate Kronos Group, or UKG. Initially, Kronos did not disclose how serious the problem could be: The company reported that the hosted versions of Workforce Central, TeleStaff and other services were unavailable, and said it had no estimate when they would be back online. UKG advised its clients to “evaluate alternative plans to process time and attendance data for payroll processing”.
But early the next morning, UKG revealed that the problem went deeper than a service outage: the company said it had fallen victim to a ransomware attack and said “it could take up to several weeks to fully restore system availability.” It also said the backups were “currently unavailable”.
UKG’s client list includes some big names, including Tesla, GameStop, Honda, Sainsbury’s, Puma, the YMCA, MGM Resorts, the City of Denver, and the New York City Metro Transit Authority. Medical facilities are also reportedly affected – Honolulu’s EMS and Board of Water Supply used Kronos, along with San Angelo, Texas Shannon Medical Center and more.
Some companies have promised to get paychecks despite the disruption. According to NBC News, Whole Foods has said it can pay its employees on Friday, and the state of West Virginia has said it has already processed paychecks for December 17 and is coming up with a plan to pay employees by December 31. The city of Cleveland has reportedly said employees will continue to receive their paychecks, although it did say some of them have had their names, addresses and partial Social Security numbers compromised.
However, anonymous sources told ZDNet that some companies will miss the payroll for the week. A post on the Sysadmin subreddit offers some insight into why, as one person describes the massive effort they put into counting employee hours and producing and sending checks without UKG’s services.
UKG has not given any details about the ransom, or talked about who is behind it, according to NBC News. However, not all of its products are necessarily affected – the company claims that the self-hosted versions of the affected applications should continue to work properly, and that it has no evidence that any product outside of Kronos Private Cloud has been affected in any way.
There is speculation that the ransomware attack could be linked to the massive log4j vulnerability recently discovered. But in an update to the site UKG has set up to respond to the incident, the company said there is currently “no indication” that the two events are linked, although it is still investigating.