Finnish IT providers and enterprise cloud internet hosting supplier Tietoevry has suffered a ransomware assault impacting cloud internet hosting clients in considered one of its information facilities in Sweden, with the assault reportedly performed by the Akira ransomware gang.
Tietoevry is a Finnish IT providers firm providing managed providers and cloud internet hosting for the enterprise. The firm employs roughly 24,000 folks worldwide and had a 2023 income of $3.1 billion.
Tietoevry confirmed right this moment that the ransomware assault occurred Friday night time into Saturday morning and has impacted solely considered one of their information facilities in Sweden.
“The assault was restricted to at least one a part of considered one of our Swedish datacenters, impacting Tietoevry’s providers to a few of our clients in Sweden,” explains a press assertion from Tietoevry.
“Tietoevry instantly remoted the affected platform, and the ransomware assault has not affected different elements of the corporate’s infrastructure.”
BleepingComputer has realized that this information middle is used for the corporate’s enterprise-managed cloud internet hosting service, resulting in outages for a number of clients in Sweden.
The firm says that they’re within the technique of restoring infrastructure and providers however that clients nonetheless stay impacted as they carry servers again on-line.
“Tietoevry is following a well-tested methodology with a view to restore infrastructure and providers. The work is performed in a deliberate sequence to make sure right dealing with of buyer information,” continues the press assertion.
“Time schedule will even range considerably relying on the client, the options in query and the associated information restoring wants.”
Tietoevry beforehand suffered a ransomware assault in 2021 that pressured them to disconnect shoppers’ providers.
If you may have any data on this assault or different cyberattacks, you possibly can contact us securely on Signal at +1 (646) 961-3731, through electronic mail at ideas@bleepingcomputer.com, or by utilizing our ideas kind.
Attack causes widespread outages
BleepingComputer has realized that the ransomware assault encrypted the corporate’s virtualization and administration servers used to host the web sites or functions for a variety of companies in Sweden.
Sweden’s largest cinema chain, Filmstaden, has confirmed that they’re amongst these affected by the assault, stopping on-line purchases of film tickets by the web site or cell app.
Source: BleepingComputer
Other firms impacted by the assault embrace low cost retail chain Rusta, uncooked constructing supplies supplier Moelven, and farming provider Grangnården, which was pressured to shut its shops whereas IT providers are restored.
The outage can be impacting Tietoevry’s managed Payroll and HR system, Primula, which is utilized by the federal government, universities, and schools in Sweden.
Impacted universities and schools within the nation embrace the Karolinska Institutet, SLU, University West, Stockholm University, Lunds University, and Malmö University.
The Primula outage has additionally impacted quite a few authorities businesses and municipalities in Sweden, together with the Statens service middle, the Vellinge municipality, Bjuv’s municipality, and Uppsala County.
For Uppsala the outage is extra vital because it additionally impacts the area’s well being care report system.
Akira ransomware allegedly behind the assault
BleepingComputer has been advised that the Akira ransomware operation is behind the assault on Tietoevry, coming quickly after the Finnish authorities warned about their ongoing assaults in opposition to firms within the nation.
The Akira ransomware operation launched in March 2023 and shortly started breaching company networks worldwide in double-extortion assaults.
The Finnish National Cyber Security Center (NCSC) disclosed this month that there have been 12 reported instances of Akira ransomware assaults in 2023, with the bulk occurring late within the yr.
“The incidents had been significantly associated to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is often laborious,” warned the Finnish NCSC.
In August, BleepingComputer reported on the Akira ransomware gang breaching Cisco VPN accounts that weren’t protected by multi-factor authentication to achieve entry to inner company networks.
Once the menace actors breach a community, they unfold laterally to different gadgets whereas stealing company information. Once all information has been stolen they usually achieve administrative privileges, the menace actors encrypt recordsdata on the community.
Cisco advised BleepingComputer on the time that clients ought to configure MFA on all VPN accounts and ship logging information to a distant syslog server.
Using a distant syslog server, even when the menace actors clear logs on the Cisco router, they may nonetheless be accessible for evaluation after a breach.