French IT Services Firm Confirms Ryuk Ransomware AttackSopra Steria: Recovery Effort Will Take Weeks, But No Data Has Leaked
French IT services firm Sopra Steria is confirming that its internal infrastructure sustained a ransomware attack earlier this month that disrupted its operations, with a full recovery expected to take weeks.
Sopra Steria says it was hit with a variant of the Ryuk ransomware strain on Oct. 20. The company, which says it’s continuing to investigate the incident, is offering few details.
See Also: Threat Briefing: Ransomware
The company noted, however, that there is no evidence any customer or company data has leaked or that there has been any damage to any customers’ systems that the company manages.
"Having analyzed the attack and established a remediation plan, the group is starting to reboot its information system and operations progressively and securely, as of today," the company said Monday. "It will take a few weeks for a return to normal across the group."
Sopra Steria is one of the largest IT services and consulting groups in Europe. The company has 46,000 employees and operates in 25 counties. In 2019, the firm posted revenue of 4.4 billion euros ($5.2 billion), according to its website.
It appears the attackers gained a foothold in the company’s network during the weekend of Oct. 17 before deploying the ransomware and interfering with the company's internal IT infrastructure on Oct. 20, according to a company statement. "Moreover, it has also been established that the cyberattack was only launched a few days before it was detected," Sopra Steria says.
The cybercriminal gang behind the crypto-locking malware Ryuk refines and updates the malicious code for specific attacks, security researchers report (see: Ransomware Payday: Average Payments Jump to $178,000).
Ryuk has been tied to several high-profile security incidents over the last several months. These include an attack against Philadelphia-based eResearchTechnology, which provides clinical trial oversight software to drugmakers and testing firms. Some of the companies that use eResearchTechnology's software are conducting COVID-19 vaccine research (see: Ransomware Attack Hits Clinical Trial Software Vendor).
At the end of the third quarter, the gang behind the Ryuk ransomware had increased its activities after a dormant period that started in March, says Bill Siegel, the CEO of incident response firm Coveware. The malicious code appears to have been tweaked during the lull.
"The encryption malware is substantially the same as in prior attacks, though every executable has a unique signature, making one attack's signature slightly different than the next," Siegel tells Information Security Media Group.
Ties to Trickbot
Ryuk has also been long tied to Trickbot, with criminal gangs using the botnet as a primary delivery mechanism for delivering the ransomware to a victim's network (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
Earlier this month, Microsoft, along with other security firms and U.S. government agencies, announced that it had partially dismantled Trickbot's infrastructure (see: Microsoft Continues Trickbot Crackdown). But some security firms, such as CrowdStrike, believe that the criminal gang behind Trickbot has enough resources to bring the botnet back to full strength soon.
Coveware's Siegel says it's difficult to judge how much of an effect the campaign against Trickbot will have on Ryuk attacks.
"It is probably too early to tell if the Trickbot disruption has had an impact on the Ryuk group's activities, as a Trickbot infection is typically a precursor to a ransomware attack that will lag by several days to several weeks," Siegel says.
Brett Callow, a threat analyst with security firm Emsisoft, believes the attack against Sopra Steria means that Ryuk is still a threat even if Trickbot is not fully functional.
"Ryuk incidents are still being observed so, unfortunately, Microsoft’s efforts against Trickbot did not represent the final nail in the ransomware's coffin," Callow tells ISMG.