Digital services and IT consultancy giant Sopra Steria has confirmed that it suffered a Ryuk ransomware attack earlier this month and will take a few weeks for normal operations and information systems to resume.
Sopra Steria said the cyber attack took place only a few days before it was detected and the reason the attack was not blocked was that hackers used a new version of the Ryuk ransomware that was previously unknown to antivirus software providers and security agencies.
The company said after the ransomware attack was detected, its security teams made the new version’s virus signature available to all antivirus software providers to help them update their software at the earliest. Security experts were also able to contain the virus to only a limited part of the Group’s infrastructure and to protect its customers and partners.
"At this stage, and following in-depth investigation, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems. Having analysed the attack and established a remediation plan, the Group is starting to reboot its information system and operations progressively and securely, as of today. It will take a few weeks for a return to normal across the Group," the company said.
Hackers have extensively used the Ryuk ransomware since 2018 to target a number of companies in the United States and the rest of the world. Once of the earliest instances of the ransomware's deployment involved hackers targeted the Los Angeles Times’ Olympic printing plant in downtown Los Angeles, affecting distributions of newspapers from leading U.S. media organisations such as The Los Angeles Times, The New York Times, the Wall Street Journal, Chicago Tribune, and Baltimore Sun.
Last year, a Ryuk ransomware attack launched by Russian hackers targeting a cloud data hosting company resulted in as many as 110 hospitals being unable to access patient medical records and medication administration data that were stored in the company's servers.
In September, US hospital chain Universal Health Services, Inc. (UHS) which featured among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranked #330 in Forbes list of U.S.' Largest Public Companies, reportedly suffered a Ryuk ransomware attack due to which all IT services across all facilities went offline.
Commenting on hackers using a new variant of the Ryuk ransomware to target Sopra Steria, Tom Davison, technical director – international at Lookout, said cyber criminals are constantly iterating to evade detection and take advantage of new vulnerabilities. As a result, new variants of known malware are not uncommon, they may even be specifically crafted for the intended victim.
"The best defence is to keep systems patched and use security tools that can take advantage of huge datasets. This allows for proactive and ongoing identification of rogue behaviours rather than a reliance on specific signatures. The more data you can analyse the more chance there is to spot new and emerging threat variants.
"Equally important is the ability to respond, which requires a 'detection and response' strategy and toolkit to be in place. In this case, Sopra Steria appears to have been able to contain the situation relatively quickly and they are doing the right thing in communicating openly as the situation evolves," he added.
According to Brian Higgins, Security specialist at Comparitech.com, it has always been a favourite methodology of cybercriminals to take the existing source code of successful attack platforms and tweak it to produce a ‘new’ version. This can often simply involve amendments to bypass contemporary anti-virus (AV) measures whilst leaving the payload untouched, and that would appear to be the case here.
"If this proves anything at all it is that, whilst AV is often looked upon as an outdated and unsophisticated tool in the Cybercrime prevention box, it remains vital to ensure it is implemented and running the latest version wherever possible," he added.
Read More: Ryuk Ransomware decryptor damaging encrypted files during decryption process