Finnish IT Giant Hit with Ransomware Cyberattack

TietoEVRY was forced to shut down services and infrastructure as the company continues to investigate the incident with relevant authorities.

A major Finnish IT provider has been hit with a ransomware attack that has forced the company to turn off some services and infrastructure in a disruption to customers, while it takes recovery measures.

Norwegian business journal E24 reported the attack on Espoo, Finland-based TietoEVRY on Tuesday, claiming to have spoken with Geir Remman, a communications director at the company. Remman acknowledged technical problems with several services that TietoEVRY provides to 25 customers, which are “due to a ransom attack,” according to the report.

Remman told E24 that the company considers the attack “a serious criminal act.” TietoEVRY turned off the unspecified services and infrastructure affected “as a preventative measure” until it can recover relevant data, and restart systems “in a controlled manner,” he said.

Threatpost Webinar February Promo

Click to Register

However, at this time, it does not seem that any critical or personal data has been accessed or stolen by the attackers, Remman added.

TietoEVRY is a software and service company providing IT and product engineering services in 20 countries. The publicly traded company is listed on the NASDAQ OMX Helsinki and Stockholm exchanges.

The company has informed customers of the incident and is in ongoing communication with them as the situation unfolds, according to the report.

“TietoEVRY takes this incident very seriously, and apologizes for the inconvenience this causes to our customers,” Christian Pedersen, managing partner in Tietoevry Norway, said in a media statement. “We have activated an extended team with the necessary capacity and competence, and are working with relevant partners to handle the situation.”

Those partners include the National Security Authority (NSM) and NorCert, the agencies in Finland who handle cyber attacks, which TietoEVRY immediately contacted after the attack, Remman said, according to the report.

“We are in dialogue with the police about the case,” he told E24. “At the same time, we recommend that customers also report the case to the police.”

Finland’s NSM confirmed that TietoEVRY contacted it and that the agency is supporting the company in mitigating and investigating the incident, to “see if similar malware has been used elsewhere,” spokeswoman Mona Strøm Arnøy told the media. The NSM also will help the company restore its infrastructure, she said.

Saryu Nayyar, CEO at Gurucul, noted that most ransomware gangs are out of the reach of law enforcement.

“While Finnish IT firm TietoEVRY may be able to recover effectively, it is unlikely they will get justice even after involving the appropriate law-enforcement organizations,” she told Threatpost. “Many of these cybercrime gangs are international in scope and operate from locales that turn a blind eye to crimes against foreign targets, if not tacitly support their activities. That makes law enforcement’s job harder, and puts a greater burden on organizations to keep their own defenses fully up to date and effective.”

At this time it’s not known which ransomware group is responsible for the attack. Several have been active lately, including the Clop ransomware gang, which has been linked to recent global zero-day attacks on users of the Accellion legacy File Transfer Appliance product; DoppelPaymer, which hit Kia Motors with an attack demanding $20 billion in ransom last week; and HelloKitty, which is suspected to be behind the attack of CD Projekt Red, the videogame-development company behind Cyberpunk 2077, earlier this month.

“The attacks on TietoEVRY should be a message to every enterprise with a public facing internet exposure: You are being scanned for available hosts, network port openings, vulnerabilities and misconfigurations,” Garret Grajek, CEO at YouAttest, told Threatpost. “The hackers are opportunity-based. The malware that is implanted is almost immaterial to the first phase of the cyber kill chain (reconnaissance).”

He added, “Once an open server is deemed open, vulnerability scans are run on the server/service to see what malware can be implanted. It can be a bot for further spamming or exploration – or it could be trojans that continue the cyber kill chain and enumerate your environment, escalate their privileges and move across your enterprise. The final result may be a ransomware attack or an exfiltration of data to be sold on the dark web.”

TietroEVRY did not immediately reply to an email by Threatpost Tuesday requesting confirmation and details of the attack. The company is not publicly speculating or revealing specifics until it investigates further, Pedersen told E24.

This is a developing story.

Is your small- to medium-sized business an easy mark for attackers? 

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles