Skip to main content

This ransomware may have stolen Christmas in cities, states, and companies across the US

This ransomware may have stolen Christmas in cities, states, and companies across the US

/

UKG’s hosted payroll software could take “weeks” to be restored to functionality

Share this story

Illustration by Alex Castro / The Verge

A ransomware attack is disrupting operations at many major companies, and some workers are concerned that it could affect their last paychecks before the holidays — because their payroll provider, Kronos, is the one that’s dealing with the ransom. The incident has left entire cities and states trying to come up with a plan to get paychecks out to their workers, and could affect HR operations at organizations like New York City’s Metro Transit Authority, Honda, GameStop, and more.

One Whole Foods worker told NBC News that there’s “a real fear about our paychecks this upcoming Friday,” saying that employees had been to to use “a paper punch sheet to keep track of our hours.”

Ransomware has disrupted HR operations around the world

Kronos Private Cloud is a suite of human resources software operated by a company called Ultimate Kronos Group, or UKG. Initially, Kronos didn’t reveal how severe the issue might actually be: the company reported that its hosted versions of Workforce Central, TeleStaff, and other services were unavailable, and said that it didn’t have an estimate when they’d be back online. UKG recommended that its customers “evaluate alternative plans to process time and attendance data for payroll processing”.

But early the next morning, UKG revealed that the issue was deeper than a service disruption: the company said it had been the victim of a ransomware attack, saying “it may take up to several weeks to fully restore system availability.” It also said its backups were “currently unavailable.”

UKG’s list of clients includes some huge names including Tesla, GameStop, Honda, Sainsbury’s, Puma, the YMCA, MGM Resorts, the city of Denver, and New York City’s Metro Transit Authority. Medical facilities have also reportedly been affected — Honolulu’s EMS and Board of Water Supply used Kronos, along with San Angelo, Texas’ Shannon Medical Center and more.

Some companies have promised to get paychecks out, despite the disruption. According to NBC News, Whole Foods has said that it’ll be able to pay its employees on Friday, and the state of West Virginia has said that it’d already processed paychecks for December 17th, and is coming up with a plan for paying workers on the 31st. The City of Cleveland has reportedly said that employees will keep getting their paychecks, though it did say that some of them may have had their names, addresses, and partial social security numbers compromised.

Some companies have been able to promise payments, others have not

However, anonymous sources told ZDNet that some companies will be missing payroll for the week. A post on the Sysadmin subreddit offers some insight as to why, as one person describes the Herculean efforts they’re taking to tally up employee hours and produce and mail checks without UKG’s services.

UKG hasn’t given details on the ransom, or talked about who’s behind it, according to NBC News. Not all of its products have necessarily been affected, though — the company claims the self-hosted versions of the affected applications should keep working fine, and that it doesn’t have evidence any product outside Kronos Private Cloud was affected in any way.

There’s been speculation that the ransomware attack could be linked to the massive log4j vulnerability that was recently discovered. But in an update to the site UKG set up to respond to this incident, the company said there’s currently “no indication” that the two events are linked, though it is still investigating.