France’s Sopra Steria Was Hit By Previously Unseen Version of Ryuk Ransomware
French IT services firm Sopra Steria, which suffered a Ryuk ransomware attack in October, now estimates that recovering from the attack could cost up to 50 million euros ($59 million).
Sopra Steria is one of the largest IT services and consulting groups in Europe, posting 2019 revenue of 4.4 billion euros ($5.2 billion).
On Oct. 21, Sopra Steria stated that it had suffered an attack using a version of the Ryuk ransomware that had not been publicly seen before. At the time, the company said it did not believe that any customer or company data had leaked or that there had been any significant damage to the many customer systems that it company manages (see: French IT Services Firm Confirms Ryuk Ransomware Attack).
Now, however, the company says it expects that the attack will have a gross negative impact on its operating margins of between $47 million and $59 million due to remediation costs and the widespread unavailability of various systems since Oct. 21.
In a statement issued on Wednesday, the firm also says it expects to receive an insurance payout of $35 million. The company notes, however, that it does not expect the ransomware outbreak to impact its fourth quarter sales results, and says its cleanup efforts have nearly concluded.
The firm added: “The secure remediation plan launched on October 26 is nearly complete. Access has progressively been restored to workstations, R&D and production servers, and in-house tools and applications. Customer connections have also been gradually restored.”
Sopra Steria did not immediately respond to a request for comment about whether it paid any ransom to its attackers.
Ryuk Ransomware Attack
How was it that the French IT services firm got hit by a version of Ryuk that had not been previously seen by security researchers? Experts say the cybercrime gang behind Ryuk continually refines and updates the crypto-locking malware, sometimes customizing it for individual targets, to better try and evade security defenses (see: Ransomware Payday: Average Payments Jump to $178,000).
Ryuk had previously gone quiet in March. But around September, Ryuk’s operators appear to have restarted their attacks, and were regularly repacking their code, Bill Siegel, the CEO of ransomware incident response firm Coveware, has told Information Security Media Group.
“The encryption malware is substantially the same as in prior attacks, though every executable has a unique signature, making one attack’s signature slightly different than the next,” Siegel said.
Ryuk was the focus of a recent alert from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, which warned hospitals that a wave of Ryuk ransomware attacks were targeting healthcare facilities across the country.
The ransomware has been tied to numerous high-profile security incidents in recent months. These include an attack against Philadelphia-based eResearchTechnology, which provides clinical trial oversight software to drugmakers and testing firms. Some of the companies that use eResearchTechnology’s software are conducting COVID-19 vaccine research (see: Ransomware Attack Hits Clinical Trial Software Vendor).
The ongoing spate of ransomware attacks against hospitals has also prompted American lawmakers to raise concerns about cybersecurity practices at such facilities, especially they are in the midst of attempting to handle a surging number of COVID-19 cases (see: Senator Demands Answers on Universal Health Services Outage).
Ryuk’s Ties to Trickbot and Emotet
In terms of Ryuk finding its way onto victims’ systems, the ransomware has long been long tied to the botnets behind Trickbot and Emotet. Ryuk operators have regularly used those botnets to download their ransomware onto endpoints (see: Emotet, Ryuk, TrickBot: ‘Loader-Ransomware-Banker Trifecta’).
For years the operators behind Ryuk have used the Emotet and Trickbot botnets to deliver their crypto-locking malware to compromise devices. Following Microsoft’s temporary disruption of the Trickbot botnet in October, however, some security experts say it appears that Ryuk’s operators may have begun sourcing alternative delivery mechanisms (see: Microsoft Continues Trickbot Crackdown).
In October, security firm Sophos reported that in recent months, Ryuk’s operators had been increasingly relying on a malware-as-a-service tool – the Buer loader – to deliver the malware, rather than botnets such as Trickbot and Emotet. Based on advertisements on cybercrime forums, researchers say the Buer loader appears to have first debuted in August 2019 (see: Ryuk Ransomware Delivered Using Malware-as-a-Service Tool).