Kaseya gets master decryptor to help customers still suffering from REvil attack

Business

Ars Technica 22 July, 2021 - 03:12pm 10 views

Sign up or login to join the discussions!

Kaseya—the remote management software seller at the center of a ransomware operation that struck as many as 1,500 downstream networks—said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack.

“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email on Thursday morning. “We are providing tech support to use the decryptor. We have a team reaching out to our customers, and I don’t have more detail right now.”

In a private message, threat analyst Brett Callow of security firm Emsisoft said, “We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”

REvil had demanded as much as $70 million for a universal decryptor that would restore the data of all organizations compromised in the mass attack. Liedholm declined to say if Kaseya paid any sum in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.

For the time being, it’s not publicly known if Kaseya paid the ransom or received it for free from REvil, a law enforcement agency, or a private security company.

In the days following the attack, REvil’s site on the dark web, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The unexplained exit left victims and researchers worried that the data would remain locked up forever, since the only people with the ability to decrypt it had vanished.

REvil is one of several ransomware groups believed to operate out of Russia or another Eastern European country that was formerly part of the Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart Vladimir Putin that if Russia didn’t rein in those ransomware groups, the US might take unilateral action against them.

Observers have speculated since then that either Putin pressured the group to go quiet or the group, rattled by all the attention it received from the attack, decided to do so on its own.

Some of the companies victimized by the attack include Swedish grocery store chain COOP, Virginia Tech, two Maryland towns, New Zealand schools, and international textile company Miroglio Group.

REvil is also behind a crippling attack on JBS, the world’s biggest producer of meat. The breach caused JBS to temporarily close some plants.

You must login or create an account to comment.

Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.

Read full article at Ars Technica

Kaseya Gets REvil Ransomware Decryptor Key To Help Victims

CRN 22 July, 2021 - 06:00pm

‘We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,’ the company posted in an update on its website.

Kaseya is helping nearly 1,500 compromised customers unlock ransomed files after obtaining a universal decryptor key Wednesday, 19 days after the devastating REvil ransomware attack.

“We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor,” the company wrote in an update on its website. “Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.”

The company declined to answer media questions about the identity of the third party, whether a ransom was paid to obtain the key, and whether the decryptor works in all instances. REvil made the largest ransom demand of all-time two days after the attack, offering on July 4 to decrypt all Kaseya ransomware attack victims in exchange for $70 million. REvil’s online presence has since disappeared.

The latest development was first reported on Twitter by NBC News’ Kevin Collier at 11:29 a.m. ET Thursday. Kaseya said it’ll provide updates on its remediation efforts with the decryptor as more details become available.

Organizations have become increasingly willing to fork over ransoms in recent months, with Colonial Pipeline paying Darkside $4.3 million in May with the hope of restoring operations on its 5,500-mile pipeline sooner. And meatpacking giant JBS paid REvil $11 million to shield the company’s meat plants from further disruption and limit the potential impact for restaurants, grocery stores and farmers.

The REvil gang pulled off one of the biggest ransomware heists in years July 2, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers.

Kaseya said the cybercriminals were able to exploit vulnerabilities in its VSA tool to pass authentication and run arbitrary command execution. This allowed REvil to leverage the VSA product‘s standard functionality and deploy ransomware to customer endpoints.

The cyberattack left more than 36,000 MSPs without access to Kaseya‘s flagship VSA product for nearly 10 days as the company worked on a patch for the on-premises version of VSA and kept the more widely used SaaS version of VSA offline. Third-party engineers and consultants as well as internal IT employees suggested putting additional layers of protection into VSA to defend against unforeseen issues.

“The fact that we had to take down VSA is very disappointing to me personally,” Voccola said in an emotional video posted to Kaseya’s website at 2:45 a.m. ET July 8. “I feel like I let this community down, I let my company down, [and] our company let you down. And that is not going away.”

Former Kaseya software engineering and developers said they warned Kaseya leaders for years of dangerous security flaws in its products, but those concerns were never fully addressed, Bloomberg said July 10. Some employees who flagged Kaseya’s security issues quit over frustration that newer features and products were prioritized over fixing the problems or were fired over inaction, Bloomberg reported.

Some of the largest security problems within Kaseya included outdated code, weak encryption, and passwords in products, as well as the general failure to meet basic cybersecurity requirements including continuous patching of its software and servers, according to Bloomberg, who declined to identify the former employees due to non-disclosure agreements.

A Dutch Institute for Vulnerability Disclosure (DIVD) researcher discovered seven vulnerabilities in Kaseya’s VSA product in early April and notified the company about the flaws less than a week later. Eighty-seven days later, REvil took advantage of a flaw flagged by DIVD that still hadn’t been resolved.

“We were in a coordinated vulnerability disclosure process with the vendor while this happened,” DIVD’s Victor Gevers wrote on Twitter. “The CVEs [descriptions of the vulnerabilities] were ready to be published; the patches were made and prepared for distribution; and we mapped all online instances to help speed up the process.”

Biden To Putin: ‘Take Action To Disrupt Ransomware Groups’

Kaseya VSA Down Until Sunday; CEO Fred Voccola Apologizes To MSPs

Kaseya Was Warned In April Of Vulnerability Exploited By REvil Gang

Kaseya MSPs: ‘We Want To Get Out Of This Mess’

Kaseya VSA SaaS Coming Back Tuesday, On-Prem Wednesday

Kaseya Gets Tool to Unlock Data After Ransomware Attack

The Wall Street Journal 22 July, 2021 - 04:50pm

Miami-based Kaseya Ltd. on Thursday said it received a universal decryptor that would help restore all the computer systems affected by the July 2 hack of one of its products, which acted as a springboard for hackers to reach New Zealand schools, a Dutch information-technology company and other organizations. The ransomware group behind the attack initially demanded $70 million for such a tool.

Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.

“We are actively and successfully using the tool to help those customers affected by the ransomware,” Ms. Liedholm added.

Cybersecurity news, analysis and insights from WSJ's global team of reporters and editors.

The attack targeted Kaseya’s virtual system administrator product, which helps clients manage their computer networks. The firm has released a series of updates to the tool over the past 10 days in the hope of mitigating the damage from the hack.

The Biden administration says it is taking an increasingly aggressive approach to ransomware, bolstering cyber standards for federal contractors and disrupting transactions used to launder ransom payments, as well as putting more public pressure on Russia, which it says provides safe harbor to hacking groups. The Kremlin has denied such claims.

Federal Bureau of Investigation Director Christopher Wray told The Wall Street Journal in June that authorities could also help some victims restore their systems without engaging hackers.

“I don’t want to suggest that this is the norm, but there have been instances where we’ve even been able to work with our partners to identify the encryption keys, which then would enable a company to actually unlock their data—even without paying the ransom,” he said.

It is unclear if authorities provided Kaseya with the decryptor Wednesday. Representatives for the FBI and National Security Council didn’t immediately respond to requests for comment.

Coming amid a series of hacks that disrupted U.S. infrastructure, the Kaseya incident represented an escalation in ransomware tactics, cyber experts say. Hackers targeted a technology service provider and distributed ransomware among its customers and their respective clients, indiscriminately hacking the digital supply chain.

The initial breach of Kaseya’s product allowed hackers to reach dozens of customers that used it, including other service providers, company officials said. The attackers subsequently used those access points to enter computer networks of as many as 1,500 total victims, straining cybersecurity specialists who have responded to a surge in ransomware this year.

“For almost three weeks now, managed service providers and small-to-medium [sized] businesses have been working overtime to recover and restore systems,” said John Hammond, senior security researcher at cyber firm Huntress Labs Inc., which has been investigating the attack.

Kaseya got hold of the decryptor more than a week after a prolific criminal group suspected of the hack, known as REvil, went dark. The disappearance puzzled cybersecurity experts and left victims who had been negotiating with the group—not limited to Kaseya-related victims—in a lurch.

Ransom negotiators from the cyber firm GroupSense had been in talks with REvil on behalf of a hacked law firm on July 13 when they noticed its infrastructure to be unresponsive, Chief Executive Kurtis Minder said. REvil’s sites to chat with victims and “Happy Blog,” where it publicized stolen data, were down, he said.

The law firm, which wasn’t a Kaseya-related victim and which Mr. Minder declined to name, had hoped to pay REvil for a decryption key in lieu of proper backups of its data, he said. Mr. Minder and other cyber specialists working with such victims are now left wondering if the decryption key obtained by Kaseya will also work for them.

Decryptors don’t necessarily restore companies’ data as fast or comprehensively as victims would like, cyber experts say. But the Kaseya tool could help other companies that have been affected by REvil attacks, said Mike Hamilton, chief information security officer at Critical Insight Inc., a firm that is working with the gang’s victims.

“If the key is indeed universal,” he said Thursday, “we’d sure like a copy.”

—James Rundle and Dustin Volz contributed to this article.

Write to David Uberti at david.uberti@wsj.com

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Copyright © 2021 Dow Jones & Company, Inc. All Rights Reserved

The Kaseya Ransomware Nightmare Is Almost Over

WIRED 22 July, 2021 - 03:28pm

Nearly three weeks ago, a ransomware attack against a little-known IT software company called Kaseya spiraled into a full-on epidemic, with hackers seizing the computers of as many as 1,500 businesses, including a major Swedish grocery chain. Last week, the notorious group behind the hack disappeared from the internet, leaving victims with no way to pay up and free their systems. But now the situation seems close to finally being resolved, thanks to the surprise appearance on Thursday of a universal decryption tool.

The July 2 hack was about as bad as it gets. Kaseya provides IT management software that’s popular among so-called managed service providers (MSPs), which are companies that offer IT infrastructure to companies that would rather not deal with it themselves. By exploiting a bug in MSP-focused software called Virtual System Administrator, the ransomware group REvil was able to infect not just those targets but their customers as well, resulting in a wave of devastation.

In the intervening weeks, victims had effectively two choices: pay the ransom to recover their systems or rebuild what was lost through backups. For many individual businesses, REvil set the ransom at roughly $45,000. It attempted to shake down MSPs for as much as $5 million. It also originally set the price of a universal decryptor at $70 million. The group would later come down to $50 million before vanishing, likely in a bid to lay low during a high-tension moment. When they disappeared, they took their payment portal with them. Victims were left stranded, unable to pay even if they wanted to.

Kaseya spokesperson Dana Liedholm confirmed to WIRED that the company obtained a universal decryptor from a “trusted third party,” but she did not elaborate on who provided it. “We have a team actively working with our customers who were affected, and will share more about how we will further make the tool available as those details become available,” Liedholm said in an emailed statement, adding that outreach to victims had already begun, with the help of antivirus firm Emsisoft.

“We are working with Kaseya to support their customer engagement efforts,” said Emsisoft threat analyst Brett Callow in a statement. “We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers."

The security firm Mandiant has been working with Kaseya on remediation more broadly, but a Mandiant spokeserson referred WIRED back to Liedholm when asked for additional clarity on who provided the decryption key and how many victims still required it.

The ability to free up every device that remains encrypted is undeniably good news. But the number of victims left to help at this point may be a relatively small chunk of the initial wave. “The decryption key is probably helpful to some clients, but it's likely too little too late,” says Jake Williams, CTO of security firm BreachQuest, which has multiple clients who were hit in the REvil campaign. That’s because anyone who could reconstitute their data, through backups, payment, or otherwise, likely would have done so by now. “The cases where it's likely to help the most are those where there's some unique data on an encrypted system that simply can't be meaningfully reconstituted in any way,” Williams says. “In those cases, we recommended those orgs immediately pay for decryption keys if the data was critical.”

Many of the REvil victims were small and midsize businesses; as MSP customers, they’re definitionally the types who prefer to outsource their IT needs—which in turn means they may be less likely to have reliable backups readily available. Still, there are other ways to rebuild data, even if it means asking clients and vendors to send whatever they’ve got and start over from scratch. “It's unlikely anyone was holding out hope for a key,” Williams says.

For whatever stragglers do remain, today’s news may herald the end of a weeks-long ordeal. However, it doesn’t ease broader concerns about ransomware threats or what the Kaseya campaign represented. Groups like Darkside and REvil and their affiliates—who give the main operators a cut of the proceeds in exchange for access to the malware—have become increasingly emboldened in recent months in both the breadth and depth of their attacks. Before Kaseya, REvil shut down the food supply giant JBS. And before JBS, Darkside disrupted Colonial Pipeline, cutting off a large portion of the East Coast’s fuel supply.

Like REvil, Darkside vanished in the face of mounting legal and political pressure. But the people responsible for those attacks haven’t been identified or indicted, much less arrested. Security researchers broadly agree that it’s only a matter of time before they reemerge, likely under a different name but with the same cutthroat tactics. The latest ransomware scare appears to be resolved. The next one may already be underway.

Ransomware victim Kaseya gets master key to unlock networks

Associated Press 22 July, 2021 - 02:01pm

BOSTON (AP) — The Florida company whose software was exploited in the devastating Fourth of July weekend ransomware attack, Kaseya, has received a universal key that will decrypt all of the more than 1,000 businesses and public organizations crippled in the global incident.

Ransomware analysts offered multiple possible explanations for why the master key, which can unlock the scrambled data of all the attack’s victims, has now appeared. They include: Kaseya paid; a government paid; a number of victims pooled funds; the Kremlin seized the key from the criminals and handed it over through intermediaries — or perhaps the attack’s principle protagonist didn’t get paid by the gang whose ransomware was used.

The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13. That likely deprived whoever carried out the attack with income because such affiliates split ransoms with the syndicates that lease them the ransomware. In the Kaseya attack, the syndicate was believed overwhelmed by more ransom negotiations than it could manage, and decided to ask $50 million to $70 million for a master key that would unlock all infections.

By now, many victims will have rebuilt their networks or restored them from backups.

It’s a mixed bag, Liedholm said, because some “have been in complete lockdown.” She had no estimate of the cost of the damage and would not comment on whether any lawsuits may have been filed against Kaseya. It is not clear how many victims may have paid ransoms before REvil went dark.

The so-called supply-chain attack of Kaseya was the worst ransomware attack to date because it spread through software that companies known as managed service providers use to administer multiple customer networks, delivering software updates and security patches.

President Joe Biden called his Russian counterpart, Vladimir Putin, afterward to press him to stop providing safe haven for cybercriminals whose costly attacks the U.S. government deems a national security threat. He has threatened to make Russia pay a price for failing to crack down. but has not specified what measure the U.S. may take.

If the universal decryptor for the Kaseya attack was turned over without payment, it would not be the first time ransomware criminals have done that. It happened after the Conti gang hobbled Ireland’s national healthcare service in May and the Russian Embassy in Dublin offered “to help with the investigation.”

Kaseya obtains decryption key for victims of massive ransomware attack - CyberScoop

CyberScoop 22 July, 2021 - 12:37pm

Roughly three weeks after Russia-based ransomware group REvil attacked Kaseya, the Florida-based IT firm has obtained a working decryption key to unlock encrypted files belonging to hundreds of victims, a spokesperson confirmed to CyberScoop on Thursday.

Dana Liedholm, the company’s senior vice president of marketing, declined to comment on the source of the key, other than to say it came from a “trusted third party.” She also declined to comment when asked if the company had paid to obtain the key, or and on long it would take to remediate all the clients that had been impacted by the attack.

Security firm Emisoft confirmed in a blog post that the decryptor works and it has been working with customers to restore their files.

The news of the decryption tool was first reported by NBC’s Kevin Collier.

Kaseya has estimated the number of affected companies at somewhere between 800 and 1,500. Private cybersecurity firms have suggested a higher figure, as Huntress Labs estimated the number of victims at closer to 2,000. Sophos Labs identified 145 victims in the United States, including local and state agencies, governments, and small and medium-sized businesses.

Hackers exploited a Kaseya platform that’s used by managed service providers, or companies that provide third-party IT service to other organizations. Because these companies have administration privileges with their clients, the number of victims quickly spiraled beyond Kaseya and its direct customers.

Among the victims are New Zealand schools, international textile company Miroglio Group, Swedish grocery store chain COOP, and two Maryland towns.

The tool may come too late to help some victims, however.

“For almost three weeks now, managed service providers and small to medium businesses have been working overtime to recover and restore systems. After recovery efforts, a universal decryption key would have helped retrieve data that wasn’t restored correctly,” John Hammond, a senior security researcher at Huntress wrote to CyberScoop in an email. “With the weeks that have gone past since the beginning of this incident, perhaps this universal decryptor is just too little too late.”

Huntress was one of the first firms to identify the attack.

The attack, which occurred just before the Fourth of July weekend, roiled tensions between Washington and Russia, which is suspected of harboring cybercriminals. Russia has denied any involvement in the incident.

The White House has not formally pinned the attack on REvil, the same group behind a May breach at international meat supplier JBS.

Shortly after demanding a $70 million dollar ransom from Kaseya, the group’s online presence went dark. Both the United States and Russia deny any knowledge of why the group went offline.

Kaseya on Monday released a series of patches to fix the vulnerability that hackers had used to exploit its software.

Updated 7/22: This post was updated to include additional information.

Company hit by massive ransomware attack obtains key to unlock customer files

The Washington Post 22 July, 2021 - 11:59am

Kaseya, an information technology company, said it got the universal decryptor key from a “trusted third party” and has validated that it works. Spokeswoman Dana Liedholm said Kaseya received the key Wednesday and has been working with customers to roll it out.

The hacking group behind the attack, called REvil, originally demanded $70 million to provide a universal decryptor key. But then the group disappeared online, leaving companies that may have wanted to pay a ransom high and dry.

Kaseya provides a software that allows companies to manage their computer systems, and it supplies that to managed service providers that in turn service tens of thousands of companies. The affected software spread to between 800 and 1,500 companies, Kaseya estimated. Those companies were then unable to access their files. Instead, they were prompted to pay a ransom to get a decryptor key that would return control to them. The ransom demands ranged from $45,000 for smaller companies up to $5 million for larger ones.

The attack hit a small town in Maryland, where staffers were unable to use their computers or send out utility bills, and a large grocery store chain in Sweden, which had to temporarily close its hundreds of locations.

The ransomware attack was the latest in a string of high-profile attacks stemming mainly from organized groups of hackers based in Eastern Europe. The frequency and severity of such attacks have increased in the past two years, especially as hackers band together to make the attacks more lucrative.

Hackers made their way into Kaseya’s software by discovering a vulnerability in the company’s software and using that to get into their system. But most ransomware attacks use relatively unsophisticated methods to break into computers, such as sending phishing emails that trick employees into opening an attachment or clicking on a link that downloads malicious software, which goes on to encrypt files and bar access to the whole network.

Some experts conservatively estimate that hackers received $412 million in ransom payments just last year.

A high-profile attack against Colonial Pipeline in May caused panicked fuel-buying and long lines at gas stations. Another attack, against meat supplier JBS, temporarily shut down meat plants across the United States. The company eventually paid hackers $11 million to restore its systems.

Kaseya, the tech firm hit by ransomware, gets the key to unlock its customers’ data.

The New York Times 22 July, 2021 - 06:59am

As of

Data delayed at least 15 minutes

The mystery is how the company obtained the key. Kaseya said only that it had obtained the key from a “third party” on Wednesday and that it was “effective at unlocking victims.”

The development is among the latest mysteries surrounding the Kaseya attack, in which a Russia-based ransomware group called REvil, short for Ransomware Evil, breached Kaseya and used it as a conduit to extort hundreds of Kaseya customers, including grocery and pharmacy chains in Sweden and two towns in Maryland, Leonardtown and North Beach.

The attack set off emergency meetings at the White House and prompted President Biden to call President Vladimir Putin of Russia and demand that he address the ransomware attacks stemming from inside his borders.

Within days of the call, REvil went dark. Gone was REvil’s “Happy Blog,” where it published emails and files stolen from REvil’s ransomware victims. Gone was its payment platform. Its most notorious members suddenly disappeared from cybercrime forums.

It is unclear whether REvil took itself offline on its own volition or at the command of the Kremlin, or whether the Pentagon’s hackers at Cyber Command had played any role. But it was a loss for Kaseya’s victims, who were still in the process of negotiating to get data back when their extortionists suddenly vanished.

Kaseya’s announcement that it had recovered the key was a welcome twist. Often when ransomware groups do turn over decryption tools to victims who have met their extortion demands, the tools are slow or ineffective. But in this case, Brett Callow, a threat researcher at EmsiSoft, a security firm that is working with Kaseya, confirmed the decryptor was “effective.”

Ms. Sonmez, who has covered breaking political news at The Post since 2018, said in the lawsuit that she had been subjected to a hostile work environment after her editors put in place two bans over nearly two years that prevented her from excelling at her job.

The lawsuit was filed in the Superior Court of the District of Columbia on Wednesday. Among the defendants is The Post’s former executive editor, Martin Baron, who retired in February. The suit also names as defendants five current high-level editors, Cameron Barr, Tracy Grant, Steve Ginsberg, Lori Montgomery and Peter Wallsten.

Ms. Sonmez said in the lawsuit that after she publicly stated in 2018 that she had been assaulted by a fellow journalist while living in Beijing, The Post had barred her from covering Christine Blasey Ford’s sexual misconduct allegations against Brett Kavanaugh. (The accused journalist, who worked for The Los Angeles Times at the time, has denied the allegations.)

After an article in Reason magazine on allegations against the journalist came out a year later, Ms. Sonmez said she was again subjected to a coverage ban by The Post. She added that she was “disciplined” by her editors at The Post for publicly requesting a correction to the article.

In January 2020, Ms. Sonmez was suspended by The Post after she tweeted a link to a news article detailing sexual assault allegations against the basketball star Kobe Bryant shortly after his death. She alleges in the lawsuit that The Post did not provide security for her after she was inundated afterward with rape and death threats. That suspension was later overturned.

The second coverage ban against Ms. Sonmez was lifted after she publicly pleaded with her editors to do so, according to the lawsuit.

The lawsuit said that, because of the coverage bans, Ms. Sonmez “was denied the opportunity to cover many stories that were newsworthy and received widespread attention that would have led to further exposure and career advancement.” She also suffered “economic loss, humiliation, embarrassment, mental and emotional distress, and the deprivation of her rights to equal employment opportunities,” according to the suit.

A spokeswoman for The Post declined to comment. Mr. Baron did not immediately respond to a request for comment.

Ms. Sonmez has demanded a jury trial. She is asking for $2 million in damages, or an amount “to be determined by the jury.”

G.M. has been weathering the shortage better than its rival Ford Motor, which this month is idling several North American plants that make trucks and sport utility vehicles.

In a statement, G.M. said its truck plants in Fort Wayne, Ind., and Silao, Mexico, will shut down next week because of the shortage of semiconductors, which serve as the computer brains in a wide variety of electronic components.

A plant in Flint, Mich., will go from three shifts of production per day to one shift, G.M. said.

“The global semiconductor shortage remains complex and very fluid,” the company said in a statement, “but G.M.’s global purchasing and supply chain, engineering and manufacturing teams continue to find creative solutions and make strides working with the supply base to minimize the impact to our highest-demand and capacity-constrained vehicles.”

The production cutbacks were reported earlier by CNBC.

Both G.M. and Ford have been making trucks and S.U.V.s without some critical components and storing them at plants until the missing parts become available. The technique is known in the auto industry as “building shy.”

G.M. idled some plants in the second quarter but was able to complete and ship some 20,000 vehicles that had been assembled without some components.

Earlier in the year, the automaker predicted that its profit would fall to about $500 million in the second quarter, from more than $3 billion in the first quarter, because of production halts from the chip shortage. But in June it said its financial results in the first half would be “significantly better” than it had forecast.

Carmakers have been expecting the chip shortage to ease in the second half of 2021. Ford reports its second-quarter earnings on Wednesday. G.M. follows with its report on Aug. 4.

Ford has had more serious issues because it has relied on a chip maker that had a fire at a plant in Japan. Both G.M. and Ford have tried to manage the shortage by allocating chips to plants that make their most popular and profitable vehicles and slowing production where slower-selling models are produced.

The shortage is crimping production when demand for new and used vehicles is strong as the economy gains strength and interest rates remain low.

Disruptions to vehicle production have left dealers with tight inventories and forced many consumers to pay close to list prices for new models.

The situation has been a boon for auto retailers. This week, AutoNation, a large dealership chain, reported its fifth record quarter in a row.

HBO and HBO Max, home to genre-bending franchises such as “Game of Thrones” and “The Sopranos” and Hollywood blockbusters like “Wonder Woman 1984,” have added 10.7 million customers in a little over a year, with 2.8 million coming in the three months ending in June, AT&T reported on Thursday. Those figures include both HBO Max and the HBO TV channel.

The company has 67.5 million subscribers to HBO and HBO Max, with 47 million in the United States. AT&T, which has struck a deal to sell its media businesses, expects HBO and HBO Max will have between 70 million and 73 million customers by the end of the year, exceeding earlier predictions.

Netflix, the most popular streaming service, has 209 million subscribers, with about 66 million in the United States. It gained customers in the second quarter, but growth has considerably slowed and it lost 430,000 subscribers across the U.S. and Canada, a sign that cracks are beginning to show in the streamer’s long-held dominance.

Speaking on the broader streaming industry, Jason Kilar, the chief executive of AT&T’s media arm, WarnerMedia, said in an interview: “The only thing I can promise you is change. There is no doubt that change is coming, and that’s appropriate because we live in a dynamic time.”

WarnerMedia, which includes CNN, the Warner Bros. film and television studios and the Turner cable networks, is about to become the property of Discovery Inc., as media companies continue to gobble each other up in an effort to take on Amazon, Apple, Facebook and Google. The deal, which is expected to close around the middle of next year, will create the second-largest media business in the United States, behind The Walt Disney Company and ahead of Netflix and NBCUniversal.

Mr. Kilar, who learned of the acquisition only weeks before it would be announced, could be out of a job after the deal closes.

Both companies are prohibited from working together until the merger is approved by government regulators, including striking any employment agreements. Still, such deals often involve tacit arrangements about leadership. Mr. Kilar said that he had met socially with David Zaslav, the head of Discovery, but that he hadn’t broached the topic of his employment.

“David and I have known each other for a long time,” he said, “and I think it’s fair to say there’s a lot of shared respect between the both of us.”

Mr. Kilar, who took charge of the company only 15 months ago, said he did not have plans to step away.

“There will be a point where I pick my head up next year where I think about this topic,” he continued. “But I certainly don’t intend to do it until 2022.”

Mr. Kilar, who was the founding chief executive of Hulu, is considered within Hollywood to be a bit of an iconoclast. In 2011, he broadsided the industry with a now-famous manifesto on the future of entertainment that, to many, came across as a blistering critique of Hulu’s corporate ownership.

The post panned traditional TV for running far too many commercials. Mr. Kilar also blasted cable, predicting that viewers would eventually drop expensive packages.

After Mr. Kilar joined WarnerMedia, he quickly shuffled the executive ranks and cut costs in an effort to streamline the business.

Then he angered Hollywood (again) by breaking with tradition and releasing the entire 2021 lineup of Warner Bros. films on HBO Max on the same day they were scheduled to appear in theaters. The move would have cost some of Hollywood’s biggest players back-end profits — the commission that top-flight producers and stars earn based on box office receipts — but the company quickly worked out deals to make sure they would be paid.

Unlike Netflix, Disney+ and HBO Max and other new entrants into streaming have legacy agreements with cable distributors and Hollywood studios that prevent a more full-throated approach to making films and TV shows immediately available online.

For Mr. Kilar, the move wasn’t about upsetting Hollywood, but rather was part of a larger strategy to goose HBO Max.

It seems to have worked. The release of made-for-the-big-screen spectacles like “Godzilla vs. Kong” on HBO Max helped to increase the service’s customer rolls.

Mr. Kilar intends to keep up that strategy through 2022. Warner Bros. will release 10 films exclusively for the streaming platform. And big-budget films like “The Batman,” a reimagining of the comic book character starring Robert Pattinson, will have relatively short windows in theaters of 45 days before they show up on HBO Max, according to Mr. Kilar.

“That’s very, very different than the way the world operated in 2019,” he said. “Ultimately, I do think that as long as you’re thoughtful about it, change could be very very good for not only the customers, but also the people we get to work with.”

The social media company is emerging from a period of low ad spending during the pandemic. Twitter has rushed to add new products in recent months to attract more users, focusing on giving people ways to earn money from the platform through paid newsletters, tipping and ticketed live audio events.

“As we enter the second half of 2021, we are shipping more, learning faster, and hiring remarkable talent,” Jack Dorsey, Twitter’s chief executive, said in a statement.

Twitter has recently been under pressure to remove misinformation about coronavirus vaccines. The White House has pushed social media companies to proactively take down vaccine falsehoods and expressed frustration that companies like Twitter and Facebook are not moving faster. On Monday, Twitter temporarily suspended Representative Marjorie Taylor Greene for violating its policies against vaccine misinformation.

The company has also had mixed success with some of its new products. It recently announced it would shut down Fleets, its ephemeral story-like feature that allowed people to share photos for 24 hours, because of low usage.

Even so, Twitter said its daily active users who saw ads on the platform rose to 206 million in the second quarter, up 11 percent from a year earlier.

Twitter is spending more as it works on new products. The company said its expenses increased 21 percent from a year ago to $1.16 billion.

It added that it would spend more than it had previously expected in the second half of the year. Twitter said expenses and its total work force would rise 30 percent this year, a 5 percentage point increase from its previous prediction. In the current quarter, Twitter said it expected a loss of $50 million or that it would break even.

Notes: Child care category excludes time spent watching children while performing other tasks. Because of the coronavirus pandemic, data was not collected for March and April of 2020. Time spent on each activity has been rounded but the percent change from 2019 to 2020 was calculated from raw values.

The pandemic upended every aspect of daily life last year — work, leisure, even sleep. New government data paints the most detailed picture yet of just how fundamental those disruptions were.

Americans spent nearly 10 waking hours a day at home in 2020, compared with less than eight hours a day in 2019. They commuted less (11 minutes a day in 2020 on average, down from 16 minutes a day in 2019), shopped less (17 minutes in 2020, down from 21) and worked out more (22 minutes, up from 19).

And, perhaps unsurprisingly in a year of canceled vacations and government-mandated lockdowns, they spent a lot more time alone — nearly an hour a day more than in 2019. Seniors, in particular, spent more than eight hours a day alone in 2020.

Those numbers are from the American Time Use Survey, which every year asks thousands of people to track, minute by minute, how they spend their day. Normally, the changes are small from one year to the next. Not this time.

Some of the most telling changes are the ones that reflect the unique nature of the pandemic. People spent more time talking on the phone last year, and less time socializing outside their homes. They spent more time taking care of their lawns, and less time taking care of their personal appearance. And, of course, they spent far more time working from home: About 42 percent of employed adults were working at home on a given day in 2020, nearly double the share in 2019.

For some people, the disruptions were far more fundamental. Mass layoffs meant that millions fewer people had jobs in 2020, pushing down the average time spent working by 17 minutes on average. (Among those who kept their jobs, there was little change in the amount of time they worked.)

Parents with school-aged children spent an average of 1.6 hours more a day providing “secondary child care” — time spent taking care of children while also doing other things, such as working. (“Primary” child care, the time spent taking care of children while not engaging in other activities, was little changed.) Women shouldered more of that burden than men: Women with school-age children spent more than seven hours a day with children in their care, compared to less than five hours for men.

The pandemic even affected the data itself: The government put the survey on hold from mid-March until mid-May, so the numbers don’t reflect the most intense period of lockdowns and business closings last year. (The report released Thursday compares the period from mid-May to the end of the year in 2020 to the same period in 2019.)

In May, existing home sales in the United States fell 0.9 percent from April as a sharp rise in prices and a shortage of houses for sale led to a slowdown in the market.

“Supply has modestly improved in recent months due to more housing starts and existing homeowners listing their homes, all of which has resulted in an uptick in sales,” Lawrence Yun, NAR’s chief economist, said in a statement.

Existing home sales rose 1.4 percent in June from May, the National Association of Realtors said Thursday. Sales increased nearly 23 percent in June from the year before.

The median home sales price rose 23.4 percent from a year ago, to a record $363,300.

The inventory of unsold homes stood at 1.25 million, down 18.8 percent from a year ago. It typically took just 17 days to sell a home, versus 24 days last June.

Mercedes thus joined a growing list of companies including General Motors, Stellantis and Renault that have declared their intention to hasten the demise of internal combustion engines in favor of battery-powered vehicles with no tailpipe emissions.

Increasingly, they have little choice. The European Union will effectively ban new cars with internal combustion engines in 2035, while Britain, Norway and other countries have also set expiration dates for vehicles that run on fossil fuels.

Mercedes, the luxury carmaking division of Daimler, also faces pressure from Tesla, which has been stealing well-heeled buyers and is building a factory in Berlin. Tesla leads rivals in batteries and autonomous driving technology. But Ola Källenius, the chief executive of Daimler, said that Mercedes wants to seize the initiative with, for example, a model to be unveiled next year that will go 600 miles on a charge. That would be about 50 percent farther than Tesla’s longest-range car.

“We want to be people to make it happen,” Mr. Källenius told reporters Thursday, “not just go with the flow.”

Mercedes said it would invest 40 billion euros, or $47 billion, on electric cars, vans and light commercial vehicles by 2030. In 2025, the company will introduce three new electric vehicle platforms — collections of components and technology that can be shared among different models — and will no longer develop platforms for internal combustion engines.

The platform shift is significant because it will allow Mercedes to exploit some of the design potential of battery powered vehicles, such as more interior space. Electric motors are smaller than internal combustion engines and do not require large transmissions.

Despite the huge investments required, Mr. Källenius said he was confident Mercedes could continue to enjoy profit margins of more than 10 percent. Electric vehicles have generally been less profitable for carmakers because of the cost of batteries, but Mr. Källenius pointed out that battery prices have been dropping fast.

Mercedes is planning to take tighter control of battery production. Working with partners, it will establish a global network of battery plants and will also build its own electric motors.

One of the new battery factories will be in the United States, three will be in Europe and four will be in Asia. Daimler executives said they had not yet decided on a location for the U.S. plant, but it will probably be close to Mercedes’ existing manufacturing complex in Tuscaloosa, Ala.

Daimler stopped short of promising not to sell any more cars with internal combustion engines. Some regions of the world by 2030 may not have the charging networks that make owning an electric vehicle practical.

“Mercedes-Benz will be ready to go all-electric at the end of the decade,” the company said in a statement, adding, “where market conditions allow.”

A range of companies had outages, including financial firms like American Express and Chase, retailers like Amazon and Home Depot and travel companies like Delta Air Lines and Expedia, according to the online platform Downdetector.

On its website, Delta said that it was working to resolve “a technology issue” that was affecting “many global websites.”

“You can continue to check in for flights at this time at the airport,” Delta’s statement said.

The outages were reported as Akamai, one of the largest cloud-computing providers, said it had experienced problems with its DNS service, though it wasn’t immediately clear whether the Akamai outage was the source of all of the issues elsewhere. DNS, one of the most fundamental technologies of the web, helps route requests for a specific URL to the server where that website actually lives.

Akamai also helps many companies make their sites faster and more reliable by serving cached versions of pages from around the globe, but an outage in its network could render those sites unusable.

Akamai confirmed the connectivity issues were not the result of a cyberattack.

“There are reports of issues related to a Content Delivery Network (Akamai) outside of Amazon’s Network,” Amazon Web Services said in a statement posted on its website. “We have investigated AWS services such as Amazon Route 53 and Amazon CloudFront and these services are all operating normally at this time.”

Zomato, an Indian food delivery company, also blamed Akamai for its outage. “Our app is down, owing to a widespread internet outage (Akamai),” the company posted on Twitter.

Just before 1 p.m. Eastern time, Akamai said it had resolved its issue.

“We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations,” Akamai said on Twitter.

In an apparently unrelated incident, several counties in Virginia, including Campbell and Grayson, reported that their 911 systems were down. On its Facebook page, the Grayson County Sheriff’s Office said the outage was because of a cut to fiber internet lines and that 911 could still be reached from landline telephones.

The weekly figure, before seasonal adjustments, was about 406,000, an increase of 14,000 from the previous week. New claims for Pandemic Unemployment Assistance, a federally funded program for jobless freelancers, gig workers and others who do not ordinarily qualify for state benefits, totaled 110,000, up about 14,000 from the week before. The figures are not seasonally adjusted. (On a seasonally adjusted basis, state claims totaled 419,000, an increase of 51,000.)

New state claims remain high by historical standards but are one-third the level recorded in early January. The benefit filings, something of a proxy for layoffs, have receded as businesses return to fuller operations, particularly in hard-hit industries like leisure and hospitality.

More than 20 states have recently discontinued some or all federal pandemic unemployment benefits — including a $300 supplement to other benefits — even though they are funded through September. Officials in those states said the payments were keeping people from seeking work. But judges in Maryland and Indiana have blocked the early cutoff, and legal challenges are pending in three other states.

A survey of 5,000 adults conducted June 22-25 by Morning Consult found that those whose unemployment benefits were about to expire felt more pressure to find work. But of all those on unemployment insurance, relatively few — 20 percent of those who had worked full time, and 28 percent of those who had worked part time — said the benefits were better than their previous work income in meeting basic expenses.

The Labor Department’s employment report for June showed that the economy had 6.8 million fewer jobs than before the pandemic. A separate report found 9.2 million job openings at the end of May as businesses that had closed or cut back during the pandemic raced to hire employees to meet the reviving demand.

But there is a substantial amount of turnover, with far more workers quitting their jobs than are being laid off — a sign that many are jumping to positions that pay even slightly more. And the rush by businesses to staff up in lower-paying jobs means that many workers can afford to wait for a better deal.

The company did not disclose the number of patients that have received the drug, which is priced at $56,000 annually on average. Biogen’s chief executive, Michel Vounatsos, said on an earnings call that a “big chunk” of the revenue had come from stockpiled inventory and that the drug’s release has been somewhat slower than the company had anticipated.

Several industry analysts estimated based on the revenue figure that fewer than 100 patients had been treated so far. The drug had been expected to get off to a modest start. Many insurers have not yet decided how to cover it. Administration sites — typically memory clinics that see patients with cognitive problems — have been slowed by the complexities of administering the drug, which must be given as a monthly intravenous infusion.

The federal agency that administers Medicare announced earlier this month that it would initiate a monthslong review to determine whether to standardize coverage of the drug across the country, a step that could restrict which patients receive it. In the meantime, some Medicare Advantage plans, an alternative to traditional Medicare that is offered by private insurance companies, have already approved patients to receive the drug, the company said.

Biogen executives spent much of the earnings call on Thursday defending Aduhelm and the process that led to its approval.

The drug’s approval last month generated intense scrutiny, in large part because there is scant evidence that it can help patients. Some major medical centers have decided not to offer it, and two congressional committees are investigating the drug’s approval and its price. Critics have also questioned the close collaboration between Biogen and the Food and Drug Administration in the lead-up to the approval.

It was the first policy announcement since the central bank offered the results of its strategy review this month, which showed that policymakers would allow emergency measures to persist even if inflation temporarily rises above 2 percent. In the review, the bank also said it would use its influence in the bond market to tackle climate change.

The central bank’s latest forward guidance, published Thursday, was changed to reflect this new strategy. Interest rates will “remain at their present or lower levels” until inflation is seen reaching 2 percent “well ahead” of the end of the central bank’s projection horizon, which is approximately three years, “and durably” for the rest of that period. Policymakers will also keep interest rates low until there is evidence that inflation will stabilize at 2 percent “over the medium term.”

“This may also imply a transitory period in which inflation is moderately above target,” the statement said.

This leads to the potential for a longer period of low interest rates and bond purchases because the central bank will not be forced to react to temporary bouts of higher inflation. In general, the region has suffered from persistently low inflation.

The new guidance has raised the bar for higher interest rates in Europe, Claus Vistesen, an economist at Pantheon Macroeconomics, wrote in a note.

Last week, data showed that the annual inflation rate in the eurozone was 1.9 percent in June, down from 2 percent in May. The central bank forecasts inflation to rise again this year before falling next year. In 2023, at the end of its projection horizon, inflation is forecast to be just 1.4 percent.

“The outlook for inflation over the medium term remains subdued,” Christine Lagarde, the central bank’s president, said on Thursday.

Previously, the central bank had been aiming for inflation below, but close to, 2 percent. Now it has a “symmetric” 2 percent target “over the medium term.”

The change in policy guidance comes as the rising number of coronavirus cases has led governments in the region to reimpose some restrictions, hoping not to derail the fragile economic recovery. On Thursday, interest rates and the pace of the central bank’s bond-buying program stayed the same.

As the vaccination rollout continues and strict lockdowns have been eased, “the recovery in the euro area economy is on track,” Ms Lagarde said. “But the pandemic continues to cast a shadow, especially as the Delta variant constitutes a growing source of uncertainty.”

In recent months, the reopening of many businesses, combined with supply chain disruptions because of shortages of critical items such as semiconductors, has led to price increases across Europe and the United States. Central banks are being pushed to explain when these increases might lead to a pullback in monetary stimulus. So far, policymakers have indicated they will withstand higher inflation as long as it is temporary.

The statement from the European Central Bank on Thursday reiterates its desire to not withdraw stimulus prematurely.

The change in the central bank’s forward guidance is intended “to underline its commitment to maintain a persistently accommodative monetary policy stance to meet its inflation target,” the statement said.

As investors expect interest rates to stay low and negative for several years in Europe, the monetary policy path is diverging even more strongly from the United States, where policymakers expect to raise interest rates in 2023.

“Almost all large corporate customers, including many of the traditional oil and gas companies, have goals to go 100 percent renewable by 2030 or 2040,” said Yuri Horwitz, Sol’s chief executive. Those commitments come as regulatory and investor scrutiny is expected to intensify in the coming years.

Private equity firms are racing to invest in renewable energy during the Biden administration, driven in part by expectations of increased public investment as the White House aims to cut the country’s fossil-fuel emissions by 80 percent by 2030. The amount of solar capacity installed in the first quarter in the United States was nearly 50 percent larger than the year before, setting a first-quarter record, according to a report by the Solar Energy Industry Association and research firm Wood Mackenzie Power & Renewables.

Sol invests in underserved communities alongside its solar power projects. Its partnership with Microsoft, announced last year, included $50 million in investments in the areas surrounding the sites of its installations.

This week, the Carlyle Group announced it was forming a renewable energy infrastructure unit. And KKR brought on Tim Short and Benoit Allehaut this spring to help steer renewable investments in its $18 billion infrastructure division. Among its recent deals was a $1.4 billion investment last year in the wind and solar company NextEra.

But KKR is still betting on fossil fuels. “Natural gas is still a very important aspect of the energy transition until we have technology solutions that allow otherwise,” Mr. Short said. And last month, the firm announced a $5.7 billion deal to create a vehicle that consolidates shale oil companies.

The moves are highly unusual and upend the traditional I.P.O. process, Erin Griffith and Lauren Hirsch report for The New York Times. No company has ever offered so many shares to everyday investors at the outset; firms typically reserve just 1 or 2 percent of their shares for customers. And investor presentations usually take place behind closed doors with Wall Street firms.

“We recognize that for many of you this will be the first I.P.O. you have had a chance to participate in,” Vlad Tenev and Baiju Bhatt, Robinhood’s founders, wrote in its offering prospectus. They added that they wanted to put customers on an “equal footing” with large institutional investors.

Robinhood is also letting its employees sell up to 15 percent of their shares immediately upon its listing, rather than having them wait the traditional six months. That could add to volatile trading.

But the risks of opening up an I.P.O. are significant. Big professional funds tend to hold stock that they buy in an I.P.O., but there is little to stop everyday investors from immediately dumping Robinhood’s shares. And any technical problems could invite regulatory scrutiny and investor lawsuits, bankers said.

In 2006, the phone service provider Vonage tried to sell shares to its customers in its I.P.O. But a technical glitch left buyers unclear whether their trades had gone through until days later, when the stock had plummeted. Customers sued Vonage, and regulators fined the banks that ran the offering.

Calls to cancel the events have intensified as more athletes test positive for the coronavirus. The event is also deeply unpopular with Japanese citizens and many public health experts, who fear a superspreader event. And there will be no spectators in the stands.

For NBCUniversal, which has paid billions of dollars for the exclusive rights to broadcast the Olympics in the United States through 2032, the event is a crucial source of revenue. There are more than 140 sponsors for NBC’s coverage on television, on its year-old streaming platform Peacock and online, an increase over the 100 that signed on for the 2016 Summer Games in Rio de Janeiro, Tiffany Hsu reports for The New York Times.

Chris Brandt, the chief marketing officer of Chipotle, said that the situation was “not ideal,” but that the company still planned to run a campaign featuring profiles of Olympic athletes.

“We do think people will continue to tune in, even without fans, as they did for all kinds of other sports,” Mr. Brandt said. “It’s going to be a diminishing factor in terms of the excitement, but we also hope that the Olympics are a bit of a unifier at a time when the country can seem to be so divided every day.”

Ad agency executives said companies were regularly checking in for updates on the coronavirus outbreak in Japan and might fine-tune their marketing messages accordingly.

“Everyone is a little bit cautious,” said David Droga, the founder of the Droga5 ad agency, which worked on an Olympics campaign for Facebook showcasing skateboarders. “People are quite fragile at the moment. Advertisers don’t want to be too saccharine or too clever but are trying to find that right tone.”

The S&P 500 rose 0.2 percent. The Nasdaq composite gained 0.4 percent.

The yield on U.S. 10-year Treasury notes fell to 1.27 percent from 1.30 percent.

Markets in Europe were higher, with the Stoxx 600 Europe gaining 0.6 percent. The European Central Bank said interest rates will “remain at their present or lower levels” until inflation is seen reaching 2 percent “well ahead” of the end of the central bank’s projection horizon.

Oil prices rose on Thursday, with West Texas Intermediate, the U.S. crude benchmark, climbing 2 percent to $71.72 a barrel.

Akamai’s stock fell 0.6 percent after the company experienced problems with its DNS service, causing internet outages for a range of companies.

Shares of the drug maker Biogen gained 1 percent after reporting that its controversial Alzheimer’s drug Aduhelm brought in $2 million in its first few weeks of availability.

Business Stories