European IT services group Sopra Steria has shared more details of the cyber attack which hit its offices last week, confirming speculation that it fell victim to a ransomware attack.
According to a press release issued by the firm, Sopra Steria first discovered it was under attack on the evening of 20 October, and has since identified that the culprit was a “new version” of the notorious Ryuk ransomware.
According to Sopra Steria, it has since shared samples of the ransomware with anti-virus vendors and computer crime-fighting agencies.
“Sopra Steria’s investigation teams immediately provided the competent authorities with all information required. The Group was able to quickly make this new version’s virus signature available to all antivirus software providers, in order for them to update their antivirus software.”
“Moreover, it has also been established that the cyberattack was only launched a few days before it was detected.”
Sopra Steria says that it has investigated the attack and “has not identified any leaked data or damage caused to its customers’ information systems.”
Let’s hope that they’re right, as ransomware which exfiltrates sensitive information from corporate networks is clearly a much bigger headache both for the company infected and its customers and partners.
No information has been shared regarding precisely how the Ryuk ransomware might have infected and then spread across Sopra Steria’s network, but often times the initial attack will take place through a carefully crafted malicious email.
Interestingly, the attack against Sopra Steria occurred in tandem with reports that Ryuk was exploiting the CVE-2020-1472 privilege escalation vulnerability, also known as Zerologon, to gain domain-level administrator access within corporate networks.
Microsoft produced a patch for the Zerologon vulnerability in August, advising companies to address the issue as a critical priority because of the risk of exploitation.
Subsequently proof-of-concept code exploiting the security hole was published, prompting the US Government’s Cybersecurity and Infrastructure Agency (CISA) to issue an emergency directive telling organisations to take “immediate and emergency action” to ensure patches were in place.
Sopra Steria says the Ryuk ransomware was contained to “only a limited part of the Group’s infrastructure.” It has started bringing systems back online, but believes it will “take a few weeks for a return to normal across the Group.”
There is no word on what ransom has been demanded by Sopra Steria’s attackers, although in the past the malicious hackers behind the Ryuk ransomware have demanded millions of dollars worth of cryptocurrency.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.