SoftServe, which is one of the largest IT services company in Ukraine has suffered a ransomware attack last week. While the company has confirmed recently, news about its hack and reportedly stolen data were being shared in online groups already. Hackers here are said to have exploited a legitimate Windows tool for gaining access.
SoftServe Hit by a Ransomware Attack, Clients Data Stolen
SoftServe is one of the well-known software and IT services company in Ukraine, having about 50 branches with 8,000 employees across the world. The news about a ransomware attack on SoftServe was initially spotted in a Telegram group named “Telegram DС8044 Kyiv Info“, where an internal notification to its employees was shared.
In that, the company revealed that it suffered a cyberattack around 1 AM on September 1st, where the attackers have accessed the company’s infrastructure and deployed a ransomware malware. After detecting it to be an encrypting malware, they had taken down some of their services offline to contain it. Also, they claimed to have blocked connections with clients network as safe part.
While this has been a leak from the above-said Telegram group, SoftServe eventually revealed this incident to the public by confirming the news to a local tech news site AIN. Adrian Pavlikevich, the Senior Vice President of IT at SoftServe told AIN that they had removed a part of their systems to restricted communication with client network. Further, they’re investigating the incident to know more.
While this being the case for a while, there are links to the code repositories of various companies project source codes, mostly pertaining as the clients of SoftServe, surfaced online. While it’s not confirmed yet, the files were seen to have an extension as “s0fts3rve555-” hinting it to be the work of Defray ransomware.
Exploiting a Legitimate Windows tool
It’s said to be the ransomware group has exploited a legitimate Windows customisation tool called Rainmeter.DLL. They said, “Distributed ransomware DLL(Rainmeter.dll ) compiled from legitime Rainmeter – a desktop customization tool for Windows. Malicious DLL loading from legitime EXE (used popular cyberattack method DLL side-loading) using additional instruments like CobaltStrike Beacon, PowerShell, etc. Such a technique is hard to detect by any antivirus as of now.”
The above statement was leaked from the incident report of SoftServe, which is preparing to explain clients about the incident, but leaked in the Telegram group, along with the links to source code repositories of its various clients like Toyota, Panasonic, IBM, Cisco, ADT, WorldPay, and more.
Other Trending News:- News