Sopra Steria says Ryuk ransomware attack cost €50m to remediate
Digital services and IT consultancy giant Sopra Steria said on Wednesday that the Ryuk ransomware attack, that struck its network on 21st October this year, is expected to impact its operating margin by up to €50 million due to the unavailability of services and the cost of remediation.
Sopra Steria first announced the ransomware incident in late October, stating that the ransomware attack succeeded as hackers used a new version of the Ryuk ransomware that was previously unknown to antivirus software providers and security agencies.
The company said after the ransomware attack was detected, its security teams made the new version’s virus signature available to all antivirus software providers to help them update their software at the earliest. Security experts were also able to contain the virus to only a limited part of the Group’s infrastructure and to protect its customers and partners.
"At this stage, and following an in-depth investigation, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems. Having analysed the attack and established a remediation plan, the Group is starting to reboot its information system and operations progressively and securely, as of today. It will take a few weeks for a return to normal across the Group," the company said.
On Wednesday, the IT services giant issued a fresh update on the cyber attack, stating that the restoration of all networks and services, that was initiated on 26th October, was nearly complete and that it has not identified any leaked data or damage caused to its customers’ information systems.
The company said it has been able to restore access to workstations, R&D and production servers, as well as to in-house tools and applications, while working closely with customers and focussing on security. However, the remediation programme and the unavailability of some services for a prolonged period dealt a significant blow to the company's operating margin.
"The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million. The Group’s insurance coverage for cyber risks totals €30 million," Sopra Steria said.
"After including the items mentioned above, for the financial year 2020 Sopra Steria expects to see negative organic revenue growth of between 4.5% and 5.0% (previously “between -2% and -4%”), an operating margin on business activity of around 6.5% (previously “between 6% and 7%”), and free cash flow of between €50 million and €100 million (previously “between €80m and €120m”)," it added.
The huge financial impact that Sopra Steria had to bear indicates the extent to which a successful ransomware attack can impact large organisations. A similar ransomware attack targeting a smaller orgaisations could have crippled operations for a prolonged period or could have led to a more serious outcome.
Tom Davison, technical director – international at Lookout, told TEISS that since cyber criminals are constantly iterating to evade detection and take advantage of new vulnerabilities, the best defence is to keep systems patched and use security tools that can take advantage of huge datasets. This allows for proactive and ongoing identification of rogue behaviours rather than a reliance on specific signatures.
According to Brian Higgins, Security specialist at Comparitech.com, it has always been a favourite methodology of cybercriminals to take the existing source code of successful attack platforms and tweak it to produce a ‘new’ version. This can often simply involve amendments to bypass contemporary anti-virus (AV) measures whilst leaving the payload untouched, and that would appear to be the case here.
"If this proves anything at all it is that, whilst AV is often looked upon as an outdated and unsophisticated tool in the Cybercrime prevention box, it remains vital to ensure it is implemented and running the latest version wherever possible," he added.
Sopra Steria first announced the ransomware incident in late October, stating that the ransomware attack succeeded as hackers used a new version of the Ryuk ransomware that was previously unknown to antivirus software providers and security agencies.
The company said after the ransomware attack was detected, its security teams made the new version’s virus signature available to all antivirus software providers to help them update their software at the earliest. Security experts were also able to contain the virus to only a limited part of the Group’s infrastructure and to protect its customers and partners.
"At this stage, and following an in-depth investigation, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems. Having analysed the attack and established a remediation plan, the Group is starting to reboot its information system and operations progressively and securely, as of today. It will take a few weeks for a return to normal across the Group," the company said.
On Wednesday, the IT services giant issued a fresh update on the cyber attack, stating that the restoration of all networks and services, that was initiated on 26th October, was nearly complete and that it has not identified any leaked data or damage caused to its customers’ information systems.
The company said it has been able to restore access to workstations, R&D and production servers, as well as to in-house tools and applications, while working closely with customers and focussing on security. However, the remediation programme and the unavailability of some services for a prolonged period dealt a significant blow to the company's operating margin.
"The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million. The Group’s insurance coverage for cyber risks totals €30 million," Sopra Steria said.
"After including the items mentioned above, for the financial year 2020 Sopra Steria expects to see negative organic revenue growth of between 4.5% and 5.0% (previously “between -2% and -4%”), an operating margin on business activity of around 6.5% (previously “between 6% and 7%”), and free cash flow of between €50 million and €100 million (previously “between €80m and €120m”)," it added.
The huge financial impact that Sopra Steria had to bear indicates the extent to which a successful ransomware attack can impact large organisations. A similar ransomware attack targeting a smaller orgaisations could have crippled operations for a prolonged period or could have led to a more serious outcome.
Tom Davison, technical director – international at Lookout, told TEISS that since cyber criminals are constantly iterating to evade detection and take advantage of new vulnerabilities, the best defence is to keep systems patched and use security tools that can take advantage of huge datasets. This allows for proactive and ongoing identification of rogue behaviours rather than a reliance on specific signatures.
According to Brian Higgins, Security specialist at Comparitech.com, it has always been a favourite methodology of cybercriminals to take the existing source code of successful attack platforms and tweak it to produce a ‘new’ version. This can often simply involve amendments to bypass contemporary anti-virus (AV) measures whilst leaving the payload untouched, and that would appear to be the case here.
"If this proves anything at all it is that, whilst AV is often looked upon as an outdated and unsophisticated tool in the Cybercrime prevention box, it remains vital to ensure it is implemented and running the latest version wherever possible," he added.
