Researcher Graham Cluley published that European IT services and digital transformation giant Sopra Steria has been hit by a ransomware attack. Sopra Steria employs 46,000 in 25 countries and generated revenue of €4.4 billion in 2019.
Researcher Graham Cluley published that European IT services and digital transformation giant Sopra Steria has been hit by a ransomware attack. Sopra Steria employs 46,000 in 25 countries and generated revenue of €4.4 billion in 2019.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This is an example of a well-handled cyber attack. Employees were vigilant enough to catch the attack early, it was reported to authorities to protect other businesses using the software, and security protocols already in place at the company ensured the damage was localised and managed. Many companies struggle with creating resiliency plans for attacks like this and it\’s good to see an organisation taking its data infrastructure, and the data of its customers and partners, seriously.
Cybercriminals are constantly iterating to evade detection and take advantage of new vulnerabilities. As a result, new variants of known malware are not uncommon, they may even be specifically crafted for the intended victim. The best defense is to keep systems patched and use security tools that can take advantage of huge datasets. This allows for proactive and ongoing identification of rogue behaviors rather than a reliance on specific signatures. The more data you can analyze the more chance there is to spot new and emerging threat variants. Equally important is the ability to respond, which requires a \’detection and response\’ strategy and toolkit to be in place. In this case, Sopra Steria appears to have been able to contain the situation relatively quickly and they are doing the right thing in communicating openly as the situation evolves.
The major takeaway from the cyberattack on Sopra Steria is that anyone can fall victim to a cyberattack, even the most tech-savvy companies. It boils down to the fact that organizations are made up of people—we try our best, but at the end of the day we are only human and humans make mistakes sometimes. This incident underpins the importance of having technology in place to monitor for and block threats, and a team of experts that can work quickly to mitigate an attack before it causes widespread damage. It’s not a matter of if you will be hit by a cyberattack, but when and how prepared you will be to mitigate it.
The use of Ryuk Ransomware in this attack is another major pivot for the ransomware operators. Up until the beginning of this year, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and healthcare. Ryuk is known to target large organizations across industries because it demands a very high ransom. Sopra Steria stakeholders will likely have a lot of questions about what happened, but another question to consider is whether or not the company is in the position to fully recover its data without paying the ransom.
Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot, and Emotet to wreak the most damage to a network and harvest the most amount of data.
This attack demonstrates that however prepared any organization is for an attack, the attacker will get in if they are determined. It highlights that as much as every enterprise must be prepared for malware, phishing, and ransomware on their network – and have an actionable remediation and communication plan in place – this is not enough. Targeted attacks only occur once a significant amount of background work has taken place, so it’s likely that the attacker had been on the inside for many months to prepare this. Only once they understood how the business operated were they able to identify the best day for launch and where the weak spot might be.
Sometimes there’s too much focus on advanced, unheard of targeted attacks. What this proves is that we still have to be ready for the basics, such as ransomware or phishing. When well-executed, they can do as much – or even more – damage than a customized campaign.
It’s tough to install faith in customers as an IT and cybersecurity provider if you yourself get hacked. However, this is another important example that no organization is safe as attackers continue to become more sophisticated and advanced. While details of the exact attack, and the attacker’s demands, remain scarce, sources indicate the Ryuk ransomware is the culprit. Typically, Ryuk is dropped into an already compromised network after another ransomware performs the initial infection and gains access to domain controllers and elevated privileges.
This shows that while preventing initial breaches is important, having a rapid response framework in place is equally critical. In this case, a better response after initial infection could have potentially stopped the malware from gaining domain admin rights and deploying Ryuk.
With that said, it’s important to have real-time threat detection and response software in any corporate network, to mitigate abnormal user behaviors and malware network traversal. Beyond that, implementing privileged access management software can reduce the overall attack surface by removing admin rights and only providing them exactly when they’re needed (known as ephemeral admins and zero standing privilege). Considering how often corporate breaches occur, it’s a good idea to assume you could be the next victim and prepare your response accordingly, instead of only trying to prevent initial breaches.