Sopra Steria claims to be a European leader in consulting digital services and software development to help its clients drive their digital transformation to obtain tangible and sustainable benefits. Their mission states there is no telling what technology can do and its opportunities are infinite.

Sopra Steria is right. Technology is powerful and there is no telling what it can do and what an individual can do with it. In this situation, technology was used against Sopra Steria quite negatively. On October 20, they were hit with a ransomware attack. Threat actors compromised their environment and deployed ransomware. Ryuk ransomware is the threat group responsible.

Ryuk is known for demanding high dollar ransoms from their victims. With their first reported attacks in August of 2018, Ryuk has targeted hospitals, government institutions, organizations and businesses. This threat group utilizes manual hacking techniques and open-source intelligence tools to move laterally on networks to obtain administrative access to all possible endpoints before encrypting data and requesting ransom payments. Ryuk’s targets usually have critical assets, and as a result, they are more likely to pay ransoms demanded.

Ryuk is suspected to be a creation of a Russian-speaking criminal group and they usually demand roughly $100K – $500K in bitcoin but have received payments in the millions. According to the FBI, at least $61 million was hauled in for 2019 – in the US alone. Ryuk ransomware operators will infiltrate victim networks and then decide whether they want to deploy ransomware based on the assets that are possibly attainable. They have also been known to continuously poke at an organization when a ransomware deployment fails by using repeated phishing attempts.

Ryuk is usually distributed via TrickBot, but this is not always the case. When TrickBot infections lead to Ryuk and the networks are initially infiltrated, the ransomware deployment could take anywhere from a few weeks to a few hours. It seems that the timing depends on the value of their potential payout. Regardless, the swift lateral movement across the environment ensures the goal of taking over domain controllers and systems. This will cause an entire network to be compromised, not just a few endpoints here and there.

The victim, in this case, says as of right now, there isn’t any leaked data. It is yet to be discovered how Ryuk infected and spread across Sopra Steria’s network, but most ransomware attacks SpearTip experts have become familiar with, begin with a phishing email where a malicious link or attachment is clicked. This then enables the ransomware operators to gain complete access to the network. Sopra Steria has slowly brought systems back online, but it will take them several weeks to fully recover from this cyberattack.

SpearTip’s ShadowSpear® Memory Injection Prevention module would step in to prevent Ryuk ransomware attacks. Network defenders should apply these strategies and tools to avoid falling victim to Ryuk, though it usually begins with non-technical end-users. Implementing user awareness training and phishing practices has been proven to correct and improve an organization’s security posture tremendously. The weakest link is almost always the human element. Utilizing a trusted EDR tool will put your organization on a higher level to protect your organization’s network.

Our cybersecurity professionals are always on alert for malware and manipulative programs by building cases on the threat groups and actors that are encountered on a daily basis. Our 24/7 Security Operations Center (SOC) is complete with certified security engineers to monitor and protect your environment. Not only are they continuously preventing cyberattacks, but they can also deploy our proprietary tool, ShadowSpear® in your environment before or after an attack.