Kronos (UKG)

Kronos, a leading provider of workforce management and HR solutions (under UKG), suffered a severe ransomware attack that crippled its Kronos Private Cloud, disrupting critical services like payroll processing, timesheet management, and workforce scheduling for major clients, including Tesla, Community Bank, and the San Francisco Municipal Transit Authority. The attack forced a complete shutdown of key platforms UKG Workforce Central, UKG TeleStaff, and Banking Scheduling halting operations for countless organizations reliant on these systems.The incident suggests potential exploitation of the Log4Shell vulnerability (or alternative breach methods), leading to system-wide outages that threatened financial stability, operational continuity, and employee/customer trust. Given Kronos’ role in payroll and HR data management, the attack likely compromised sensitive employee and organizational data, while the prolonged service disruption risked financial losses, reputational damage, and regulatory penalties for affected businesses. The scale of the attack targeting a $1B+ revenue company highlights its destabilizing potential for dependent industries, including public transit, banking, and manufacturing.

Source: https://www.acronis.com/en/tru/posts/hr-management-provider-kronos-hit-by-ransomware/

TPRM report: https://www.rankiteo.com/company/kronos

"id": "kro2362023091325",
"linkid": "kronos",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': ['Tesla',
                                               'Community Bank',
                                               'San Francisco Municipal '
                                               'Transit Authority',
                                               'Other Kronos Private Cloud '
                                               'customers'],
                        'industry': 'Human Capital Management (HCM) / '
                                    'Workforce Management',
                        'location': 'Global (HQ in Lowell, Massachusetts, USA)',
                        'name': 'Kronos (UKG)',
                        'size': 'Large (Annual revenue > $1 billion)',
                        'type': 'Corporation'},
                       {'industry': 'Automotive / Energy',
                        'location': 'Global',
                        'name': 'Tesla',
                        'size': 'Large',
                        'type': 'Corporation'},
                       {'industry': 'Banking',
                        'location': 'USA',
                        'name': 'Community Bank',
                        'type': 'Financial Institution'},
                       {'industry': 'Public Transportation',
                        'location': 'San Francisco, California, USA',
                        'name': 'San Francisco Municipal Transit Authority',
                        'type': 'Government Agency'}],
 'attack_vector': ['Potential Log4Shell vulnerability exploitation',
                   'Unknown alternative access methods'],
 'data_breach': {'data_encryption': 'Likely (ransomware attack)'},
 'description': 'Kronos, a major provider of workforce management and human '
                'capital management solutions, suffered a significant '
                'ransomware attack that disrupted payroll and timesheet '
                'processing services for its customer organizations. Services '
                'using the Kronos Private Cloud, including UKG Workforce '
                'Central, UKG TeleStaff, and Banking Scheduling solutions, '
                'were taken down completely. The attack may have exploited the '
                'Log4Shell vulnerability or other means of access.',
 'impact': {'brand_reputation_impact': 'High (given prominence of affected '
                                       'customers like Tesla, Community Bank, '
                                       'and San Francisco Municipal Transit '
                                       'Authority)',
            'downtime': 'Complete shutdown of affected services (duration '
                        'unspecified)',
            'operational_impact': 'Disruption of payroll and timesheet '
                                  'processing for customer organizations',
            'systems_affected': ['Kronos Private Cloud',
                                 'UKG Workforce Central',
                                 'UKG TeleStaff',
                                 'Banking Scheduling solutions']},
 'initial_access_broker': {'entry_point': ['Potential Log4Shell vulnerability',
                                           'Unknown alternative vectors'],
                           'high_value_targets': ['Kronos Private Cloud',
                                                  'UKG Workforce Central',
                                                  'UKG TeleStaff',
                                                  'Banking Scheduling '
                                                  'solutions']},
 'investigation_status': 'Ongoing (as of description)',
 'ransomware': {'data_encryption': 'Yes (services taken down)'},
 'recommendations': ['Automatically patch systems against latest '
                     'vulnerabilities (e.g., using tools like Acronis Cyber '
                     'Protect).',
                     'Deploy Active Protection to stop known and unknown '
                     'ransomware variants.'],
 'references': [{'source': 'Acronis Cyber Protect'}],
 'title': 'Kronos Ransomware Attack Disrupts Payroll and Workforce Management '
          'Services',
 'type': 'Ransomware Attack',
 'vulnerability_exploited': ['Log4Shell (CVE-2021-44228)']}