A ransomware attack on Ultimate Kronos Group has knocked offline the payroll and scheduling systems of thousands of businesses, government agencies, and nonprofits that use the company’s software, including some major Boston-area employers.
From retail chains like Staples and Whole Foods to commuter rail contractor Keolis to the City of Springfield, HR departments were scrambling to find ways to record employees’ hours worked and ensure they got paid. In some cases that meant returning to pen and paper.
Kronos first discovered on Saturday that its computers had been hit by a ransomware attack.
“We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities,” executive vice president Bob Hughes said in a statement on Monday. “The investigation remains ongoing, as we work to determine the nature and scope of the incident.”
The company said the outage could last several weeks. Backup systems were unavailable due to the “malicious nature” of the attack, though the company had not discovered that the hackers stole any data.
Ransomware attacks sometimes affect only the targeted victim. But in the Kronos attack, thousands of customers that relied on the company’s cloud services have also been hurt, noted Candan Bolukbas, cofounder and chief technology officer of Boston cybersecurity firm Black Kite. “It’s a scary attack — a very difficult situation,” he said.
The City of Springfield had to turn to backup measures for recording employee schedules and hours. Employees will still be paid, the city said in a statement. City officials “will continue to closely monitor this incident and will work diligently to lessen the potential negative impact this situation might have on our city employees.”
Maine-based supermarket chain Hannaford said it’s finding ways to cope with the Kronos outage. “We will be tracking hours worked manually and have implemented other process changes to ensure associates are paid promptly and appropriately,” the company said in an e-mailed statement.
Stop & Shop has also been affected. “We are tracking hours worked manually and executing other procedural changes to ensure Stop & Shop associates are paid promptly and accurately,” said an e-mailed statement by Stop & Shop spokeswoman Jennifer Brogan.
Keolis, which runs the MBTA’s commuter rail service, was working to make sure it could record hours and pay all employees accurately, a spokesman said. “The good news is that there has been no impact on service to customers,” he said.
Ultimate Kronos was formed last year when Lowell-based Kronos, a pioneer in online payroll and scheduling services, merged with its Florida rival, Ultimate Software, in a $22 billion deal.
The attack came just as the company launched a major sales meeting in Las Vegas.
“They are talking about it, pretty much trying to reassure customers that everything is OK,” said one attendee, Albert Pang, president of market research firm Apps Run The World.
Ultimate Kronos’ estimate that fixing the problem could take several weeks illustrates how tough it can be to recover from a ransomware attack.
Even if the company decides to pay the ransom, Allan Liska, an intelligence analyst at Somerville-based cybersecurity firm Recorded Future, said that it can take days to negotiate a settlement with the ransomware thieves and put together the cash. The criminals usually demand payment in a cryptocurrency, such as bitcoin or Ether.
And paying the ransom wouldn’t end Kronos’ travails. Since its network was infiltrated, the company has to assume that the criminals left behind other malware that could cause additional harm. In some ransomware cases, victims paid up and restarted their systems, but found that they were reinfected by further digital booby traps, Liska said.
The only safe course is a complete rebuild of the server network. “Given how bad this attack was, that would be my advice,” Liska said. “You need to wipe and you need to get a clean slate.”
Kronos said it had “no indication” that the ransomware attack was related to a recently discovered vulnerability in the popular Java software included in many web applications. The vulnerability, known as Log4j, has caused widespread concern that hackers could run rampant accessing private information.
Correction: An earlier version of this article stated that Target had been affected by the attack, which is false. The Globe regrets the error.