IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.
The French-headquartered company detected the cyberattack on 20 October and made it public the following day.
Initial reports in French media pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.
In a statement published today, Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.
Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.
The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.
On Friday Verdict revealed that the cyberattack hit “all geographies” and will “inevitably take several weeks” to return to normal operations. Sopra Steria today confirmed that it expected to be up and running in “a few weeks”.
“Having analysed the attack and established a remediation plan, the Group is starting to reboot its information system and operations progressively and securely, as of today,” Sopra Steria said in a statement.
Sopra Steria, which has 46,000 employees across 25 countries, said that it “immediately” provided all required information to relevant authorities.
Ryuk strikes again
Ryuk ransomware has been distributed by the Russian-speaking cybercrime gang known as ‘Wizard Spider’ since 2018. The virus is specifically designed to target enterprise environments and has so far netted the syndicate more than $5m via Bitcoin payments, as of January 2019.
Richard Hughes, head of technical cybersecurity at A&O IT Group, said it’s “not the first time” that Ryuk has evolved, pointing to its origins as a modified version of the Hermes ransomware originally attributed to North Korea.
“Ryuk is often deployed after other vulnerabilities have been exploited, which is why it is so essential for organisations to carry out regular vulnerability assessments and to remediate any discovered vulnerabilities,” he said, adding that phishing is “high up” on the list of attack methods for installing the ransomware.
Javvad Malik, security awareness advocate at cybersecurity firm KnowBe4, said: “Ryuk is among the most profitable ransomware variants in history, and it continues to evolve and bring new features. The parallels can be drawn to legitimate software which is continually enhanced to perform better – and Ryuk is no exception. So, it’s not altogether surprising to see new variants emerging.”
He added that Sopra Steria appears to have done a “good job” in both detecting Ryuk quickly and demonstrating that it has an established recovery plan.
“The sharing of new IoC’s and signatures is also a positive step by Sopra Steria which will help other organisations who become victims.”