One of the largest French information technology consultancies, Sopra Steri, has been hit with a serious ransomware attack that forced its systems offline. Sopra Steri has a global customer base and provides outsourcing services to the UK National Health Service (NHS). According to a statement released by the French-headquartered IT firm, the attack impacted “all geographies”.
The attack was detected on the evening of October 20, 2020. Sopra Steri immediately responded and took steps to limit the harm caused. According to a press release issued on October 22, the attack saw parts of its computer system impacted by a cyberattack. In a later update, Sopra Steri confirmed that ransomware was involved, with sources confirming to the French media that a new variant of Ryuk ransomware was used that was previously unknown, and was therefore not detected by its anti-virus software.
The attack was detected after a few days and the ransomware was contained before it encrypted files across all of its systems. Sopra Steri reports that the attack only affected “a limited part” of its IT infrastructure. Reports in the media suggest that the threat actors targeted its Active Directory infrastructure. It is unclear whether the recently announced CVE-2020-1472 “Zerologon” critical privilege escalation vulnerability was exploited in the attack, but the Ryuk gang is known to have used an exploit for the Zerologon flaw in other recent attacks.
The group has reported the attack to all appropriate authorities and made the ransomware sample available to anti-virus vendors to allow them to update their virus definition lists. Systems are now being brought back online, but there is likely to be continued disruption to the business for several weeks while systems are securely brought back online.
The investigation into the ransomware attack is ongoing but so far, no evidence has been found to indicate any customer data has been impacted nor that there has been any damage caused to customers’ IT systems. There has been no information released to date to indicate what types of data were stored on the compromised systems and were potentially accessible to the attackers prior to file encryption.