One of Finland’s leading IT services and software development firms has been attacked by ransomware operators, with its operations in Norway targeted. TietoEVRY disclosed the attack recently, stating it has been forced to disconnect its client services.

A rapid response to ransomware

The Finnish company is a major operator in the field of information technology services and also develops specialist software solutions. With a reach that extends well beyond the 80 countries in which it has bases, the firm employs a staff of around 24,000. In 2019, it recorded revenues of €2.95bn (£2.56bn).

On February 22, the IT services provider had a total of 25 reports of technical issues from the customers it supports in manufacturing, retail and service-based industries. Later, it was revealed that these problems were the result of a malicious attack using ransomware.

After it was made aware of the ransomware assault, TietoEVRY reacted instantly and quickly disconnected all services and company infrastructure impacted by the event in order to prevent the specialised crypto-malware from spreading further and causing more chaos.

In an advisory issued via the press, TietoEVRY commented on the incident and its actions after discovering the attack:

“Due to the ransomware the affected infrastructure and services were disconnected. Together with the affected customers and our partners, we are working to enable recovery of the operations soonest.”

The company described how it had followed appropriate protocols in line with the General Data Protection Regulation (GDPR) and that all impacted customers had been informed of the event in detail, adding that regular updates were being issued to them regarding TietoEVRY’s recovery progress.

Additionally, the IT services company notified the Norwegian National Security Authority known as the Nasjonal sikkerhetsmyndighet (NSM), along with NorCert, of the ransom attack, with both agencies now assisting TietoEVRY with its investigation.

Managing Partner at TietoEVRY Norway, Christian Pedersen commented:

“TietoEVRY takes the situation extremely seriously and does upmost to solve it and recover the impacted services soonest possible. We have activated an extended team with the necessary capacity and competence and are working hard to solve the situation.”

Why do IT services enterprises make ideal victims for ransomware gangs?

Firms specialising in IT services with managed security service provider (MSSP) offerings have become a favoured target for ransomware groups because of the way in which this type of enterprise operates.

In order to adequately service their customers, MSSPs must manage clients via remote connections using appropriate software designed to roll out new fixes and updates swiftly whenever required. By targeting IT service providers, ransomware groups can take full advantage of the firm’s essential remote access support apps and software to spread their dedicated ransomware to the provider’s client base.

Using just one attack, malicious operators can reach several victims simultaneously, extorting multiple ransom payments in the process. Even if clients are not impacted by the ransomware itself, then they will experience a loss of service. Faced with being unable to operate and serve their customers, many IT service providers may be persuaded to pay up.