The “Ryuk” Gang Has Compromised French IT Services Provider “Sopra Steria”

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The latest victim of the Ryuk ransomware group is ‘Sopra Steria,’ a Paris-based IT consultant and ERP integration expert that employs about 45,000 people and counts its yearly revenue in the billions. It is pretty embarrassing for an IT giant to fall victim to a ransomware group. Still, on the other hand, these hackers have grown so persistent and sophisticated that fending them off 24/7 is really challenging, no matter who you are and what you do.

The company has admitted the event and released the following statement:

A cyberattack has been detected on Sopra Steria’s IT network on the evening of 20th October. Security measures have been implemented in order to contain risks. The Group’s teams are working hard for a return to normal as quickly as possible and every effort has been made to ensure business continuity. Sopra Steria is in close contact with its customers and partners, as well as the competent authorities.

Bleeping Computer claims to have valid information about the result of this attack, something that Sopra Steria decided not to elaborate on. More specifically, there are reports about full network encryption by Ryuk, which are confirmed by French media too.

It is possible that it all started with a TrickBot or BazarLoader infection, as we have seen these malware tools getting deployed with the ultimate goal being a Ryuk encryption. This part of the attack has not been confirmed, though, so it’s just an assumption based on what has been going on recently.

Related: The Ryuk Ransomware Gang Is Surely Not Dead or Replaced by Conti

While Sopra Steria is transparent about the event, there is nothing about ransom demands, service availability estimations, data leak possibility, etc. Since the authorities have been contacted, a GDPR investigation could also be kicked off by the French data protection commissioner.

Last week, we analyzed the recent activity attributed to Ryuk and why the particular group shouldn’t be considered inactive or replaced by Conti. This latest incident against Sopra Steria underlines this fact in the best possible way and highlights that the hackers are aiming for big players.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: