The Ukrainian company SoftServe suffered a ransomware attack on September 1, which may have led to the theft of its customers' source code.
With more than 8.000 employees and 50 offices worldwide, SoftServe is one of the largest companies in Ukraine offering software development and IT consulting services.
The news of the cyber-attack on SoftServe started circulating for the first time on the "Telegram DС8044 Kyiv Info" channel, where an alleged message of the company was communicated to its employees.
In a subsequent statement to the Ukrainian news site AIN, SoftServe confirmed that it had received a cyber attack that forced it to "disconnect" its customers to prevent it from spreading.
"It simply came to our notice then. The most important consequences of the attack are the temporary loss of functionality of a part of the mail system and the interruption of some of the auxiliary test environments. "As far as we can tell, this is the biggest impact of the attack and other systems or customer data have not been affected."
"To prevent the spread of the attack, we have isolated certain parts of our network and restricted communication with customer networks. We prepare a message to inform our customers about the situation. We are still investigating the incident so we are not ready to comment on who did it, "said Adriyan Pavlikevich, vice president of SoftServe.
A report found today by security researcher MalwareHunterTeam confirms that SoftServe was attacked by ransomware.
This incident report states that the ransomware attack added the extension "* .s0fts3rve555 - *** (as s0fts3rve555-76e9b8bf)" to the encrypted filenames.
It has not been confirmed, but this expansion pattern matches those used by Defray ransomware, also known as RansomEXX, which was recently used against Konica Minolta.
The report also includes one PowerShell script used to find files that changed during the attack, indicating that the attack occurred between 2 p.m. and 9 a.m.
Customer source code is said to have been stolen
In a later post on the Telegram DС8044 channel, links were leaked to the "source code repositories" allegedly stolen during the attack. These zip files are for projects that claim to be intended for companies Toyota, Panasonic, IBM, Cisco, ADT and WorldPay.
Windows customization tool that took advantage of the attack
According to the SoftService report, the attackers took advantage of one DLL vulnerability which violated the legal Rainmeter application to develop their ransomware.
The Rainmeter is a legitimate Windows customization tool that loads a Rainmeter.dll at startup.
During the attack, the threatening agents replaced the legal Rainmeter.dll with a malicious version.