[BreachExchange] Payroll giant PrismHR outage likely caused by ransomware attack

[Destry Winant]

https://www.bleepingcomputer.com/news/security/payroll-giant-prismhr-outage-likely-caused-by-ransomware-attack/

Leading payroll company PrismHR is suffering a massive outage after
suffering a cyberattack this weekend that looks like a ransomware
attack from conversations with customers.

PrismHR is an online payroll, benefits, and human resources platform
used by Professional employer organizations (PEO). PEOs use this
platform to provide payroll, HR, and benefits services to their
clients, commonly small and medium-sized businesses.

PrismHR is a massive business services company servicing over 80,000
organizations with 2 million employees and total annual payrolls of
over $80 billion.

If you have first-hand information about this or other unreported
cyberattacks, you can confidentially contact us on Signal at
+16469613731 or on Wire at @lawrenceabrams-bc.

Weekend cyberattack

In numerous conversations with PEOs and their clients today,
BleepingComputer has learned that PrismHR suffered a cyberattack on
Sunday.

For PEOs using PrismHR's platform, they are given a dedicated
subdomain on prismhr.com that hosts their client portal. This attack
has caused PEOs, and their clients, to lose access to PrismHR's
customer portals, which are now displaying the following message:

We're Working on Getting the System Back Online

The system you are attempting to access is currently unavailable.
We're sorry for the inconvenience and appreciate your continued
patience as we work to restore the system to operation as quickly as
possible.

Those PEOs who host the PrismHR software in their own cloud
infrastructure are unaffected.

In email templates provided by PrismHR, PEOs are telling clients that
PrismHR "is currently experiencing an interruption of service
impacting over 200 PEOs across the United States."

The emails say that payroll will not be affected this week and that
they are waiving administrative fees for the current payroll period
due to the outage.

While these emails do not indicate that an attack occurred, clients'
phone conversations with PEOs paint a different picture than a simple
outage.

According to PEO employees and their clients, PrismHR has told them
that they suffered a "suspicious activity" activity over the weekend
and immediately shut down their servers and network to protect the
"integrity of their systems."

BleepingComputer was told that PrismHR is now restoring their systems
from backups located on disaster recovery systems.

PrismHR has told customers that their data was not stolen during the attack.

When BleepingComputer contacted PrismHR with questions regarding this
attack, they confirmed the attack occurred on February 28th, 2021.
However, PrismHR would not share further details other than the
statement below.

"We recently experienced a cyber incident that affected our payroll
and benefits software used by Professional Employer Organizations
(PEOs) throughout the US. We immediately disabled access to the system
to protect customer information and engaged top-tier security experts
to help on this. We are working quickly to restore customer access to
our platform. While we are still looking into this, there is currently
no evidence of unauthorized access or theft of data contained on our
servers." - PrismHR

Likely a ransomware attack

While PrismHR has not specified what kind of cyber incident was
detected, from the details shared with BleepingComputer, this is
likely a ransomware attack.

Most enterprise-targeting ransomware attacks occur over the weekend
while employees are not present, computers are not being used, and
there is less attention paid to the network.

This decrease in monitoring allows threat actors who have been lurking
quietly on the network to begin the process of noisily deploying the
ransomware to encrypt systems.

Unfortunately, before encrypting devices, most ransomware gangs steal
unencrypted data to be used in double-extortion attacks.

If this turns out to be a ransomware attack, the nature of PrismHR's
business could make this disastrous.

Considering that the PrismHR handles the payroll, benefits, and human
resources for thousands of organizations, they would also have very
sensitive information stored in their systems.

This data may include social security numbers, payroll, ID cards,
employee benefit information, information for beneficiaries, and a
wide assortment of other sensitive information.

While PrismHR has told clients that there has not been a breach of
data and that payroll is secure, we will not know for sure unless the
ransomware gangs leak the data.