Sopra Steria confirms it was hit by new strain of Ryuk ransomware, will take weeks to return to normal operations

Graham Cluley
@gcluley

European IT services group Sopra Steria has shared more details of the cyber attack which hit its offices last week, confirming speculation that it fell victim to a ransomware attack.

According to a press release issued by the firm, Sopra Steria first discovered it was under attack on the evening of 20 October, and has since identified that the culprit was a “new version” of the notorious Ryuk ransomware.

According to Sopra Steria, it has since shared samples of the ransomware with anti-virus vendors and computer crime-fighting agencies.

“Sopra Steria’s investigation teams immediately provided the competent authorities with all information required. The Group was able to quickly make this new version’s virus signature available to all antivirus software providers, in order for them to update their antivirus software.”

“Moreover, it has also been established that the cyberattack was only launched a few days before it was detected.”

Sopra Steria says that it has investigated the attack and “has not identified any leaked data or damage caused to its customers’ information systems.”

Let’s hope that they’re right, as ransomware which exfiltrates sensitive information from corporate networks is clearly a much bigger headache both for the company infected and its customers and partners.

No information has been shared regarding precisely how the Ryuk ransomware might have infected and then spread across Sopra Steria’s network, but often times the initial attack will take place through a carefully crafted malicious email.

Sign up to our newsletter
Security news, advice, and tips.

Interestingly, the attack against Sopra Steria occurred in tandem with reports that Ryuk was exploiting the CVE-2020-1472 privilege escalation vulnerability, also known as Zerologon, to gain domain-level administrator access within corporate networks.

Microsoft produced a patch for the Zerologon vulnerability in August, advising companies to address the issue as a critical priority because of the risk of exploitation.

Subsequently proof-of-concept code exploiting the security hole was published, prompting the US Government’s Cybersecurity and Infrastructure Agency (CISA) to issue an emergency directive telling organisations to take “immediate and emergency action” to ensure patches were in place.

Sopra Steria says the Ryuk ransomware was contained to “only a limited part of the Group’s infrastructure.” It has started bringing systems back online, but believes it will “take a few weeks for a return to normal across the Group.”

There is no word on what ransom has been demanded by Sopra Steria’s attackers, although in the past the malicious hackers behind the Ryuk ransomware have demanded millions of dollars worth of cryptocurrency.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.