A security firm said the REvil gang, allegedly a Russian-speaking ransomware syndicate appears to be responsible for the attack.
A “colossal and devastating” ransomware attack is thought to have paralysed the networks of at least 200 US companies.
The federal Cybersecurity and Infrastructure Security Agency have said it is closely monitoring the situation and is working with the FBI to collect more information about the impact of the attack.
John Hammond of the security firm Huntress Labs said the REvil gang, a major Russian-speaking ransomware syndicate, appears to be responsible for the attack.
REvil steals data from its targets before activating the ransomware to strengthen its extortion efforts.
Mr. Hammond said the criminals targeted a software supplier called Kaseya, using its network management as a way to spread the ransomware through cloud-service providers.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” he said on Twitter.
“This is a colossal and devastating supply chain attack.”
He added he was aware of four companies that host IT infrastructure for multiple customers being hit by the ransomware, which encrypts networks until the victims pay off attackers.
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” he said.
Experts believe the attack was deliberately timed to coincide with the 4 July holiday weekend, when fewer IT staff are traditionally on duty.
Such cyber attacks typically infiltrate widely-used software and spread malware as it updates automatically.
It is not yet clear how many Kaseya customers might be affected or who they might be.
Kaseya said the attack was limited to a “small number” of its customers and had urged them to immediately shut down servers running the affected software.
Privately-run Kaseya says it is based in Dublin and has its US headquarters in Miami.