Major payroll provider Kronos is reporting that it is being subjected to a ransomware attack. Information from multiple clients may have also been accessed.

Kronos's parent company - UKG - has disclosed it became aware on December 11 of “unusual activity” affecting its Kronos Private Cloud service and had determined it was a ransomware incident. Kronos Private Cloud includes such products as UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions. The company wrote in a blog post on Sunday that it was likely the issue may require several weeks to resolve. Kronos so far has not released a restoration time.

Clients include: Tesla, MGM Resorts International, U.K. supermarket chain Sainsburys, the City of Denver, the YMCA, and Puma. In addition, more than 330 K-12 schools and districts and more than 250 higher education institutions use Kronos.

According to ZDNet, cybersecurity experts are reporting multiple messages from companies that could no longer process payroll as of Monday morning due to the outage. Sources said the outage would cause them to miss payroll for this week -- a harrowing idea considering how close Christmas is -- while many are scrambling to find alternative solutions. Many organizations use Kronos to organize timesheets, meaning schedules for the next few weeks will be thrown into disarray by the outage.

The Boston Globe reported that “HR departments were scrambling to find ways to record employees’ hours worked and ensure they got paid. In some cases that meant returning to pen and paper.”

Over the course of Monday and Tuesday, many employers announced to their staffs that they had been affected — such as employees of New York's Metropolitan Transportation Authority, hospital workers in San Angelo, Tex., and public water workers in Honolulu.

The city of Cleveland, which employs thousands of workers, said in a statement Monday that it was among the employers who rely on the hacked software, along with the Oregon Department of Transportation.

And a number of universities, such as the University of Utah, George Washington University and Yeshiva University in New York, also reported being affected.

“This attack drives home the need to not only have, but also to practice, disaster-recovery and continuity-of-operations plans that can be enacted quickly and efficiently,” Erich Kron, a security awareness advocate at KnowBe4, told Threatpost.

Clients Taking Action

The extent to which the attack affects individual employees depends on how their employers used the software. Employers who use Kronos to clock employees in and out of shifts may have to ask workers to manually track start and end times, while companies that rely on Kronos to issue paychecks may be forced to send out paper checks while the service is down. Employers also may choose to issue generic paychecks that compensate employees for a baseline number of scheduled hours rather than the actual hours worked and later issue corrections as needed.

Employees who utilize direct deposit may need to inform their banks that they will not be receiving their deposits, as these can impact fees. And, this may impact auto-payments employees have scheduled to be taken out of their bank accounts, as the accounts may not have the funds to make the payments. The ripple affect will need to be managed and addressed by HR departments.

Kronos clients are taking steps to protect their own organizations. “We are blocking/disabling all ADFS and LDAP connections to UKG/Kronos Cloud until they have a better handle on what they have,” said one in response to Hughes’ online post. “At this point, they are an untrusted entity and will be treated as such. There is no good they can do us at this time.”

Another wrote that its company is “reapplying firewall rules to disallow traffic to/from the devices within our own network” and asked other users to weigh in with “other precautionary measures you are taking at your company.”

But some Kronos customers are not pleased with the company’s response. “It is extremely disappointing how this has been handled,” one wrote. “The fact that Kronos’ response to all of us is to implement our organization’s current business continuity plan—yet they don’t have one. Additionally, they are not providing us with any type of solution to install locally so that we can gather our data. I know that we will be unable to wait ‘several weeks’ for a solution for our timekeeping. Why did I renew my support when I am not receiving any?”

‍

‍

‍

‍

‍