Finnish IT companies and enterprise cloud internet hosting supplier Tietoevry has suffered a ransomware assault impacting cloud internet hosting clients in one in all its information facilities in Sweden, with the assault reportedly performed by the Akira ransomware gang.
Tietoevry is a Finnish IT companies firm providing managed companies and cloud internet hosting for the enterprise. The firm employs roughly 24,000 folks worldwide and had a 2023 income of $3.1 billion.
Tietoevry confirmed at this time that the ransomware assault occurred Friday night time into Saturday morning and has impacted solely one in all their information facilities in Sweden.
“The assault was restricted to 1 a part of one in all our Swedish datacenters, impacting Tietoevry’s companies to a few of our clients in Sweden,” explains a press assertion from Tietoevry.
“Tietoevry instantly remoted the affected platform, and the ransomware assault has not affected different components of the corporate’s infrastructure.”
BleepingComputer has discovered that this information heart is used for the corporate’s enterprise-managed cloud internet hosting service, resulting in outages for a number of clients in Sweden.
The firm says that they’re within the means of restoring infrastructure and companies however that clients nonetheless stay impacted as they carry servers again on-line.
“Tietoevry is following a well-tested methodology as a way to restore infrastructure and companies. The work is performed in a deliberate sequence to make sure right dealing with of buyer information,” continues the press assertion.
“Time schedule may even range considerably relying on the shopper, the options in query and the associated information restoring wants.”
BleepingComputer has contacted Tietoevry for additional details about the assault however was solely informed that the assault “impacted a selected part of one in all Tietoevry’s information facilities situated in Sweden.”
Tietoevry beforehand suffered a ransomware assault in 2021 that pressured them to disconnect purchasers’ companies.
If you’ve got any data on this assault or different cyberattacks, you possibly can contact us securely on Signal at +1 (646) 961-3731, through electronic mail at ideas@bleepingcomputer.com, or by utilizing our ideas type.
Attack causes widespread outages
BleepingComputer has discovered that the ransomware assault encrypted the corporate’s virtualization and administration servers used to host the web sites or purposes for a variety of companies in Sweden.
Sweden’s largest cinema chain, Filmstaden, has confirmed that they’re amongst these impacted by the assault, stopping on-line purchases of film tickets by the web site or cellular app.
Source: BleepingComputer
Other firms impacted by the assault embody low cost retail chain Rusta, uncooked constructing supplies supplier Moelven, and farming provider Grangnården, which was pressured to shut its shops whereas IT companies are restored.
The outage can be impacting Tietoevry’s managed Payroll and HR system, Primula, which is utilized by the federal government, universities, and schools in Sweden.
Impacted universities and schools within the nation embody the Karolinska Institutet, SLU, University West, Stockholm University, Lunds Universitet, and Malmö University.
The Primula outage has additionally impacted quite a few authorities companies and municipalities in Sweden, together with the Statens servicecenter, the Vellinge municipality, Bjuv’s municipality, and Uppsala County.
For Uppsala the outage is extra important because it additionally impacts the area’s well being care report system.
Akira ransomware allegedly behind assault
BleepingComputer has been informed that the Akira ransomware operation is behind the assault on Tietoevry, coming quickly after the Finnish authorities warned about their ongoing assaults in opposition to firms within the nation.
The Akira ransomware operation launched in March 2023 and shortly started breaching company networks worldwide in double-extortion assaults.
The Finnish National Cyber Security Center (NCSC) disclosed this month that there have been 12 reported circumstances of Akira ransomware assaults in 2023, with the bulk taking place late within the yr.
“The incidents had been significantly associated to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is normally onerous,” warned the Finnish NCSC.
In August, BleepingComputer reported on the Akira ransomware gang breaching Cisco VPN accounts that weren’t protected by multi-factor authentication to realize entry to inner company networks.
Once the menace actors breach a community, they unfold laterally to different gadgets whereas stealing company information. Once all information has been stolen and so they acquire administrative privileges, the menace actors encrypt recordsdata on the community.
Cisco informed BleepingComputer on the time that clients ought to configure MFA on all VPN accounts and ship logging information to a distant syslog server.
Using a distant syslog server, even when the menace actors clear logs on the Cisco router, they’ll nonetheless be accessible for evaluation after a breach.