Finnish IT services and enterprise cloud hosting provider Tietoevry is grappling with the aftermath of a ransomware attack, causing widespread outages for multiple customers and cities in Sweden. The attack, reportedly orchestrated by the Akira ransomware gang, targeted one of Tietoevry’s data centers in Sweden, impacting the company’s managed cloud hosting services.
Tietoevry, a major player in the IT services sector with approximately 24,000 employees worldwide and a 2023 revenue of $3.1 billion, confirmed that the ransomware incident occurred from Friday night into Saturday morning. The affected data center is crucial for the company’s enterprise-managed cloud hosting service, leading to disruptions for various customers in Sweden.
In response to the attack, Tietoevry promptly isolated the affected platform and assured that the ransomware incident has not affected other parts of the company’s infrastructure. However, the ongoing efforts to restore infrastructure and services are still impacting customers as servers are brought back online.
Among the affected entities is Filmstaden, Sweden’s largest cinema chain, which confirmed the impact on its online ticket purchasing system. The outage extends to various universities and colleges, including Karolinska Institutet, SLU, University West, Stockholm University, Lunds Universitet, and Malmö University.
The Akira ransomware operation is identified as the perpetrator behind the attack, a group that gained notoriety since its launch in March 2023, focusing on double-extortion attacks worldwide. The Finnish National Cyber Security Center (NCSC) warned about the ongoing Akira attacks in the country, with 12 reported cases in 2023, primarily exploiting weakly secured Cisco VPN implementations or unpatched vulnerabilities.
The modus operandi of the Akira ransomware gang involves breaching Cisco VPN accounts lacking multi-factor authentication, allowing them to access internal corporate networks. Once inside, the threat actors move laterally, steal corporate data, and, after gaining administrative privileges, encrypt files on the network. The Finnish NCSC emphasized the difficulty of recovery in such incidents and advised companies to configure MFA on all VPN accounts, sending logging data to a remote syslog server for enhanced security monitoring.
To mitigate the risk of ransomware attacks like the one targeting Tietoevry, organizations should prioritize a multi-layered cybersecurity approach. Regularly update and patch software, employ robust endpoint protection, conduct regular backups, and educate employees on recognizing phishing attempts. Implement network segmentation to contain potential breaches and invest in advanced threat detection systems to identify and neutralize malicious activity promptly.
