[BreachExchange] Ransomware Takes Down Network of French IT Giant

Mon Oct 26 10:18:42 EDT 2020

https://threatpost.com/ransomware-french-it-giant/160484/

Sopra Steria hit with cyber attack that reportedly encrypted parts of
their network on Oct. 20 but has remained mostly mum on details.

French IT giant Sopra Steria was hit with a cyber attack this week
that disrupted the business of the firm and is widely believed to be
the work of the threat actors behind Ryuk ransomware.

The company revealed the attack in a brief press statement released
Oct. 22, two days after officials said the attack—which reportedly
encrypted parts of the firm’s network—occurred.

“A cyberattack has been detected on Sopra Steria’s IT network on the
evening of 20th October,” officials said. “Security measures have been
implemented in order to contain risks.”
Sopra Steria employs 46,000 people in 25 countries and even has a
cybersecurity arm that specializes in helping customers implement
“reliable security and resiliency,” according to its website.

However the company, which did $4.4 billion in business last year,
divulged nothing of exactly what type of attack it was and what
services, systems and data were affected, sources in the French media
claim it was Ryuk ransomware that took down the company.

If that’s true than the attackers behind Ryuk have been quite active
lately. Earlier this week the group—also responsible for the TrickBot
and BazarLoader infections used together with the ransomware—also
struck in an unusually swift attack that went from sending a phishing
email to complete encryption across the victim’s network in just five
hours.

Ryuk also is behind a ransomware attack less than a month ago that
shut down Universal Health Services, a Fortune-500 owner of a
nationwide network of hospitals.

Sopra Steria is currently working to recover its systems “for a return
to normal as quickly as possible” after the attack, as well as making
“every effort … to ensure business continuity,” officials said in a
statement. The company is working with authorities on the matter as
well as staying in touch with customers and partners.

Still, it’s unfortunate that a company that specializes in IT services
and cybersecurity would keep the public in the dark about key details
of what went down during the attack and how it might affect their
affiliates, observed Chloe Messdaghi, vice president of strategy for
Point3 Security.

“One thing that is disappointing however is that Sopra Steria didn’t
inform its customers in their public notification of exactly what
types of data were exposed,” she said in an e-mail to Threatpost.
“They also didn’t offer any advice on the kinds of attack attempts
that end users whose data was exposed might expect and should be
prepared to spot. Those potential attack strategies are dependent on
the data exposed.”

This type of transparency with customers who could have been affected
and exposed to risk is especially important for companies that
specialize in IT services to uphold in these circumstances, Messdaghi
said.

“As a digital transformation company, Sopra Steria is no doubt aware
of these risks,” she said. “It’s crucially important that they share
them, and quickly, with those whose data was exposed.”