IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.
The French-headquartered company detected the cyberattack on 20 October and made it public the following day.
Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.
Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.
Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.
It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August
The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.
It may take few weeks for services to up across geographies.
Microsoft has disrupted a massive hacking operation that it said could have indirectly affected election infrastructure.
The company said Monday it took down the servers behind Trickbot, an enormous malware network that criminals were using to launch other cyberattacks, including a strain of highly potent ransomware.
Microsoft said it obtained a federal court order to disable the IP addresses associated with Trickbot’s servers, and worked with telecom providers around the world to stamp out the network. The action coincides with an offensive by US Cyber Command to disrupt the cybercriminals, at least temporarily, according to The Washington Post.
Microsoft (MSFT) acknowledged that the attackers are likely to adapt and seek to revive their operations eventually. But, Microsoft said, the company’s efforts reflect a “new legal approach” that may help authorities fight the network going forward. Trickbot allowed hackers to sell what Microsoft said was a service to other hackers — offering them the capability to inject vulnerable computers, routers and other devices with other malware. That includes ransomware, which Microsoft and US officials have warned could pose a risk to websites that display election information or to third-party software vendors that provide services to election officials.
“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Microsoft VP of security Tom Burt wrote in a blog post.
Ransomware seizes control of target computers and freezes them until victims pay up — though experts urge those affected by ransomware not to encourage hackers by complying with their demands. The Treasury Department has warned that paying ransoms could violate US sanctions policy.
He added: “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.” A separate technical report by Microsoft on Monday said Trickbot has been used to spread the Ryuk ransomware. Security experts say Ryuk has been attacking 20 organizations per week, and was reportedly the ransomware that Universal Health Services, one of the nation’s largest hospital companies.
Trickbot has also been used to spread false and malicious emails containing malware that tried to lure victims in with messaging surrounding Black Lives Matter and Covid-19.
Microsoft said Trickbot has infected more than 1 million computing devices globally since 2016 and that its operators have acted on behalf of both governments and criminal organizations, but their exact identity remains ambiguous.
Taking down Trickbot follows a series of attacks that became highly publicized in recent weeks: One targeting Tyler Technologies, a software vendor used by numerous local governments, and Universal Health Services, one of the nation’s largest hospital companies. A statement on Tyler Technologies’ website has said the company does not directly make election software and the software it does produce that is used by election officials to display voting information is separate from its internal systems that were affected by the attack. Ransomware could pose a risk to the election process if systems designed to support voting are brought down, according to Check Point threat analyst Lotem Finkelsteen, but so far experts regard it as “mainly a hypothetical threat right now
Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.
Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.
The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.
Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.
Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.
The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.
