A new variant of Ryuk ransomware previously unknown to antivirus software providers and security agencies was behind a cyberattack on Sopra Steria's operations, the digital services company has confirmed.
Sopra Steria’s investigation teams immediately provided authorities with all the information it required and made the virus signature to this new Ryuk strain available to all leading antivirus software providers so they could update their software.
The attack was only launched a few days before it was detected and it will take a few weeks for a return to normal, according to a company press release.
Ryuk came into prominence in late 2018 when it attacked multiple U.S. newspapers. Since that time researchers have linked Ryuk to the Emotet and TrickBot trojans.
Sopra Steria said the security measures it implemented immediately made it possible to contain the virus to only a limited part of the Sopra Steria’s infrastructure, thus protecting its customers and partners.
As of early today, Sopra Steria had not identified any leaked data or damage caused to its customers’ information systems. Once it analyzed the attack and established a remediation plan, the company said it had started to reboot its information systems and operations.
Christiaan Beek, lead scientist and senior principal engineer at McAfee, said Ryuk ransomware was originally based on the Hermes Ransomware. Hermes was being sold on the black market, allowing cybercriminals to purchase the framework and convert it to what has become known today as Ryuk.
“Typically the attacks are known to use a combination of Emotet, Trickbot and Ryuk,” Beek said. “The actors involved are not shy of using the latest technology vulnerabilities like Zerologon in the first stages of the attack chain to gain privileges on a victim's network. The code has evolved and updated over the last few months and especially the speed of encryption and evasion techniques have been priority enhancements. In many cases the actor has been creating a ‘custom’ variant of Ryuk for their victim.”
Kacey Clark, a threat researcher at Digital Shadows, added that Ryuk ransomware has become a prolific threat to organizations using Windows operating systems. She said Ryuk ransomware operators have reportedly been exploiting the Zerologon vulnerability. In mid-October, security researchers provided details on Ryuk attacks, pointing out that the attackers operate very fast: Ryuk operators achieve complete encryption across targeted networks within five hours of gaining initial access to victims via phishing emails delivering the “BazarLoader” backdoor.
“Given the severity and the ease of exploiting Zerologon, attacks exploiting the vulnerability are likely to persist,” said Clark, who urged security teams to install the update for CVE-2020-1472 if they have yet to do so. McAfee also released additional Ryuk information on its threat priority dashboard.