French IT outsourcer Sopra Steria hit by 'cyberattack', Ryuk ransomware suspected

You know, the firm that runs half of NHS Shared Business Services


French-headquartered IT outsourcer Sopra Steria has been struck by a “cyberattack,” reportedly linked to the Ryuk ransomware gang.

The business declined to say what had happened, though French media reports indicated (en francais) that Sopra Steria’s Active Directory infrastructure had been compromised, seemingly by hackers linked to the Ryuk malware crowd.

Sopra Steria declined to comment when The Register contacted it, beyond referring us to a regulatory statement published last night at 19:15 CEST (18:15 UK time).

This said:

A cyberattack has been detected on Sopra Steria’s (Paris:SOP) IT network on the evening of 20th October. Security measures have been implemented in order to contain risks. The Group’s teams are working hard for a return to normal as quickly as possible and every effort has been made to ensure business continuity.

The outsourcer also runs a joint venture with the UK Department of Health and the NHS, NHS Shared Business Services, which just this week awarded a £500m framework to a number of smaller firms. That same joint venture was found back in 2017 to be responsible for the biggest ever loss of patient documents - more than 708,000 items of correspondence, including test results.

Authorities in France are said to be investigating.

Infosec blogger Graham Cluley opined: “Naturally Sopra Steria’s corporate clients, some of whom rely upon the firm to operate their core business processes and IT systems, will be concerned and will have plenty of questions regarding the nature of the attack.”

Sopra Steria is a member of France’s Cyber Campus, an industry-led initiative to spread cyber security awareness, training and product sales. Some local news outlets interpretted the attack as an embarrassment, though the blunt truth is that phishing attacks which lead to ransomware infections tend to be very difficult for non-specialists to spot.

There is hope at hand for Sopra Steria, however, if the malware is indeed RYUK. In late 2019 an infosec firm declared it had obtained a decryptor for the ransomware, meaning victims do not necessarily need to pay criminals to get their files back.

Over on this side of the channel, the IT outsourcer was this month in court amid allegations of unpaid invoices and substandard work. ®


Two ransomware strains target VMware’s ESXI hypervisor through stolen vCenter creds

CARBON SPIDER and SPRITE SPIDER give you extra reasons to patch last week’s critical vCenter bug

Two strains of ransomware have recently been updated to target VMware’s ESXi hypervisor and encrypt virtual machine files, says security vendor CrowdStrike.

Neither attack has found a way into ESXi itself, which is welcome news as a successful attack on the type-one hypervisor would mean hosts could be compromised. Instead, both rely on finding credentials to the vCenter Servers used to manage ESXi and the virtual machines it tends. Don’t relax just yet, vAdmins, unless you’ve patched the critical-rated flaw revealed last week that allows remote code execution on a vCenter server.

CrowdStrike says the two ransomware strains it’s observed attacking ESXi are named CARBON SPIDER and SPRITE SPIDER.

Continue reading

Scottish enviro bods shrug off ransomware gang's extortion attempt as 4,000 files dumped online, saying it's nothing big

Awa' an bile yer heid, SEPA tells ransomware scum

About 4,000 stolen files from the Scottish Environmental Protection Agency (SEPA) have been dumped online by frustrated ransomware criminals after the public sector body refused to pay out.

The move was predicted by the agency itself following the Conti criminal gang’s malware attack against SEPA earlier this month.

SEPA had, quite correctly, refused to pay the extortionists to prevent disclosure. It had even predicted how many files the crims would dump online, saying on 14 January: “Nevertheless, it still means that at least four thousand files may have been stolen by criminals.”

Continue reading

Insurance firm Ardonagh Group disabled 200 admin accounts as ransomware infection took hold

Firm says 'cyber incident' is being fought with third-party help

Jersey-headquartered insurance company Ardonagh Group has suffered a potential ransomware infection.

Informed sources whispered to The Register that the insurance firm had been forced to suspend 200 internal accounts with admin privileges as the "cyber incident" progressed through its IT estate.

The UK's second largest privately owned insurance broker, according to the Financial Times, Ardonagh Group has spent the year to date acquiring other companies.

Continue reading

Ransomware attack shutters Brazilian courts. But did attackers breach the virtual machine divide?

Six-day outage predicted as rebuild commences from untouched backups

Brazil’s Superior Tribunal de Justiça has temporarily shut down after a suspected ransomware attack.

The Tribunal (STJ) is second-highest of Brazil’s courts and is the highest court that decides on federal matters other than constitutional law. At the time of writing, the court’s website consists of nothing but a series of updates on the attack. Those notifications state that a virus attack was detected on November 3, when court networks were shut down as a precaution.

The most recent update says data scrambled by the ransomware related to legal proceedings, email, and administrative contracts. The statement says the data has been backed up and that work to restore systems is under way, with court business to resume on Monday November 9. Which will be more than welcome because hundreds of cases have been suspended due to the incident.

Continue reading

Ransomware attack takes out UK Research and Innovation's Brussels networking office

'Sensitive' personal data not accessed – so what about names and contact deets?

UK Research and Innovation, the British government's science and research organisation, has temporarily turned off a couple of its web-facing services after an apparent ransomware attack.

In a statement issued last week while everyone was gazing goggle-eyed at the European Union's vaccine export struggles, UKRI said data from its Brussels-based UK Research Office (UKRO) and an extranet service had been "encrypted by a third party".

"We have reported the incident to the National Crime Agency, the National Cyber Security Centre and Information Commissioner's Office," said UKRI, which apologised to all affected and added that analysis of the attack was ongoing.

Continue reading

Edinburgh Woollen Mill ransomware claim: Crims demand cash from target in administration

Egregor gang publishes stolen data snippet but did anyone receive their extortion note?

Ransomware criminals who targeted Edinburgh Woollen Mill are congratulating themselves on infiltrating the business and publishing their usual extortion demands – unaware the company has crashed into administration.

The Egregor ransomware crew followed the criminal playbook to perfection. They found a way into a reasonably-sized business, locked up its files and then sent ransom demands.

When those demands weren’t answered, the gang – who had, as is fashionable for ransomware criminals, set up an extortion website – published a snippet of stolen data on their site to attract media attention.

Continue reading

Forget Snow Day: Baltimore's 115,000+ public school kids get Ransomware Day, must check Win PCs for infection

We don't need no education... IT department may need some

Students in Baltimore, Maryland, were on Sunday warned against connecting their Windows PCs to the county’s public school IT system after it was hit by ransomware.

Baltimore County Public Schools (BCPS) has revealed few details about the malware infection, and only confirmed it was a “victim of a [ransomware] attack that caused systemic interruption to network information systems.”

The file-scrambling nasty – understood to be Ryuk – struck on Wednesday, taking systems offline just before the Thanksgiving break. As a result, more than 115,000 kids were cut off from their classes, being held over the internet due to the coronavirus pandemic, and are not expected to resume their virtual lessons until Wednesday this week.

Continue reading

Clop ransomware gang clips sensitive files from Atlantic Records' London ad agency The7stars, dumps them online

Medium-sized firm, big revenues, big target

Updated A London ad agency that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by a ransomware gang, The Register can reveal.

The7stars, based in London's West End, filed [PDF] revenues of £379.36m up from £326m, gross billing of £426m and net profit of £2.1m for the year ended 31 March 2020.

In the same accounts filed with UK register Companies House, it boasted of its position as the "largest independently owned media agency in the UK by a significant factor", making it a juicy target for the Clop ransomware extortionists.

Continue reading

Ransomware masterminds claim to have nabbed 53GB of data from Intel's Habana Labs

Miscreants threaten to make files, source code public within 72 hours

The Pay2Key ransomware group on Sunday posted what appear to be details of internal files obtained from Habana Labs, an Israel-based chip startup acquired a year ago by Intel.

The hacking group, which has been linked to Iranians by security firm Check Point, published a screenshot of source code credited to Habana Labs via Twitter, alongside a link to a Tor Browser-accessible .onion address. The website contains file names associated with Habana Labs' Gerrit code collaboration software, DomainController data, and documents that appear to have come from the AI chipmaker.

As this story was being written, the @pay2key account was suspended for violating Twitter's rules.

Continue reading

Biting the hand that feeds IT © 1998–2021