Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered a ransomware attack that severely affected its cloud hosting customers at one of its data centers in Sweden. The attack was reportedly carried out by the Akira ransomware gang. Tietoevry is a Finnish IT services company that provides managed services and cloud hosting to enterprises. The company employs approximately 24,000 people worldwide and had 2023 revenue of $3.1 billion. Tietoevry confirmed that the ransomware attack occurred between Friday night and Saturday morning and only affected one of its data centers in Sweden.

Tietoevry explained in a press statement: "The attack was limited to a part of our Swedish data center and affected Tietoevry's service to some customers in Sweden. Tietoevry immediately isolated the affected platform and the ransomware attack did not affect other parts of the company's infrastructure."

Tietoevry said it was in the process of restoring infrastructure and services, but customers were still affected while they restarted their servers. "The timetable will also vary depending on the customer, the relevant solution and the relevant data recovery needs." It is reported that Tietoevry suffered a ransomware attack in 2021, forcing them to disconnect customer services.

Ransomware attack causes massive service outages in Sweden

The ransomware attack encrypted the company's servers used to host its extensive operations in Sweden. Filmstaden, Sweden's largest cinema chain, has confirmed that they are one of the companies affected by the attack, which directly resulted in users being unable to purchase movie tickets online through the website or mobile application.

Other companies affected by the attack include discount retail chain Rusta, raw material supplier Moelven, and agricultural supplier Grangnården, which was forced to close its stores while IT services are restored. The outage also affected Primula, the payroll and human resources system managed by Tietoevry, which is widely used by governments, universities and colleges in Sweden. For example, Karolinska Institutet, SLU, University West, Stockholm University, Lund University and Malmö University, etc.

The Primula system outage also affected multiple government agencies and municipalities in Sweden, including the Statens service center, the municipality of Vellinge, the municipality of Bjuv and the county of Uppsala. For Uppsala, the impact of the outage was even more significant because it also affected the region's medical records system.

The Akira ransomware group is behind the attack

The Akira ransomware operation was behind the attack on Tietoevry, which occurred shortly after the Finnish government warned that companies in the country were under sustained attack from it. The Akira ransomware operation launched in March 2023 and soon began conducting dual ransomware attacks on enterprise networks around the world.

Finland’s National Cyber Security Center (NCSC) disclosed this month that there were 12 cases of Akira ransomware attacks in 2023, most of which occurred at the end of the year. "These incidents are specifically related to weakly secured Cisco VPN implementations or their unpatched vulnerabilities, and recovery is often difficult."

In August 2023, the BAkira ransomware gang compromised Cisco VPN accounts that were not protected by multi-factor authentication to gain access to internal corporate networks. Once threat actors compromise a network, they spread laterally to other devices while stealing corporate data. Once all data is exfiltrated and administrative privileges are gained, the threat actors encrypt files on the network.

Cisco says customers should configure MFA on all VPN accounts and send log data to a remote syslog server. Even if a threat actor clears the logs on a Cisco router, using a remote syslog server, the logs can still be used for analysis after a compromise.