Kronos crippled by ransomware, service may be out for weeks

Kronos crippled by ransomware, service may be out for weeks

Human resources platform provider UKG has put out a statement saying it’s fallen prey to ransomware that has disrupted the Kronos Private Cloud. It expects the service to be out for several weeks.

The statement came after the company posted a message on the Kronos community message board, explaining that staff noticed unusual activity impacting UKG solutions using Kronos Private Cloud.

It’s unfortunate timing, given that the outage will likely cause Kronos customers to miss payroll for this week. Of course that’s never welcome, but it’s extra painful now, considering how close Christmas is. Kronos’ work management software is used by dozens of major corporations, local governments, and enterprises.

Kronos Private Cloud

UKG describes Kronos Private Cloud as a secure storage and server facility hosted at third-party data centers. It is used across UKG companies.

Other services impacted by the incident include Healthcare Extensions, UKG TeleStaff, and Banking Scheduling Solutions. The company is not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

Under investigation

The company engaged cybersecurity experts to assess and resolve the situation, and has notified the authorities. The investigation remains ongoing, as it works to determine how bad and widespread the incident is. The company would not answer questions about which ransomware group was behind the attack.

UKG has urged customers to evaluate and implement alternative business continuity protocols related to the affected UKG solutions.

Employee data

Given the nature of the company and the fact that there is talk of ransomware, there is fear that private data may have been stolen. Many ransomware families steal confidential information before encrypting the files on the compromised network. They then use these data as extra leverage, threatening to publish the data if the victim refuses to pay the ransom.

UKG states that currently, there is no indication of compromise to employee data, but it is part of the ongoing investigation. Other sources have said that UKG contacted them and other clients to tell them that the ransomware attack may have compromised employee information like names, addresses, social security numbers, and employee IDs.

While it is important to know if your personal details or credentials have been leaked, it is significantly more important to act on it. What do you do now, knowing that your account has been compromised?

This all depends on what has been stolen, but let’s assume the worst and say it is your Social Security Number. A malevolent person who has your Social Security Number can use it to get other personal information about you. A couple important things to remember:

  • Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
  • Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.


UKG has promised to post regular updates on its website. If you are a customer, you can reach out to UKG or have a look at its community message boards. If we find out more about this attack, we will keep you posted here.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.