On October 21, 2020, French IT firm Sopra Steria released a statement informing that a cyberattack disrupted the operations of its IT network since the evening of October 20. The firm notified the required authorities and implemented emergency protocols to contain the damages. The source, type, and intent of the cyberattack were not known at the time; however, an updated statement issued by its sister company, Sopra Banking Software (SBS), has confirmed that a new Ryuk ransomware variant is behind the attack.
According to Sopra Steria’s internal investigation, the ransomware operators had begun infiltrating its network and systems just a few days before the malicious activity was detected. Hence, the company confined it to a limited part of its IT infrastructure.
New Ryuk Ransomware Variant?
As per the claim of the group’s IT team, the latest versions of anti-virus and firewalls had been installed on the systems and networks, respectively; however, Ryuk ransomware signatures going undetected was a surprising factor for them. It led to a deeper investigation of the cyberattack, which revealed that the new signatures indeed belonged to the new Ryuk ransomware variant. This explained the inability of detecting the ransomware attack in the initial phase. The investigators and the IT team have shared their findings of the detected signatures with all known anti-virus providers so that their list of IOCs can be updated for Ryuk’s new variant.
The company said, “Having analyzed the attack and established a remediation plan, the Group is starting to reboot its information system and operations progressively and securely. However, having said that, it will take a few weeks for a return to normal across the Group.”