Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected

Cloud hosting services provider Tietoevry announced that one of its datacenters in Sweden “was partially subject to a ransomware attack” this weekend, affecting numerous customers and forcing stores to close across the country.

According to the Finland-based technology company’s statement on Monday, the attackers used the Akira ransomware-as-a-service tools. The incident was limited to “one part of one of our Swedish datacenters” and is believed to have only impacted services to some of Tietoevry's customers in Sweden.

However, these customers include Primula, a widely used payroll and HR company in Sweden, including by the majority of the country’s universities and more than 30 government authorities. Staff at these organizations cannot submit personal leave or expenses requests.

Primula customers have said that January salaries were submitted to the bank prior to the ransomware attack and will be paid this week, however it is not clear what remediations will be in place by February.

Neither Tietovry nor Primula have announced whether any sensitive personal data was stolen during the incident.

Last year, a breach at British payroll company Zellis led to the personal data of potentially hundreds of thousands of employees at hundreds of companies being exposed to criminals.

Primula customers include the Swedish State Service Centre (SSC), which itself manages administrative services including payroll for nearly 170 government agencies. The SSC said “we have backup routines when the IT systems fail.”

The Säkerhetspolisen, Sweden's security service responsible for counterintelligence, did not immediately respond to an enquiry about potential risks related to government payroll information being exposed to criminals.

Following the discovery of the ransomware attack on Friday evening, Tietoevry said it “immediately isolated the affected platform”and that other parts of the company’s infrastructure were unaffected.

Directly affected customers have been notified, the company added.

Swedish businesses currently reporting issues due to the incident include cinema chain Filmstaden and retailer Rusta. As a result of the ransomware attack, Granngården announced its grocery stores across the country would be closed on Monday.

“We sincerely apologize for the problems this malicious attack is causing for our customers and everyone that is impacted by this. We have allocated all necessary resources to address this with full attention,” said Venke Bordal, a managing partner at Tietoevry.

Bordal said the company could not estimate how long it would take to restore its systems, but stressed the “security and continuity of our services is of utmost priority to us, and we take this situation extremely seriously.”

Both the company’s internal staff and outside specialists are investigating the incident, which has been reported to the police.

According to Tietoevry’s investor relations portal, the company had 24,320 employees last year and recorded revenues of just over €2.9 billion ($3.1 billion).

“Tietoevry is following a well-tested methodology in order to restore infrastructure and services. The work is conducted in a planned sequence to ensure correct handling of customer data,” said the company’s statement.

“Time schedule will also vary somewhat depending on the customer, the solutions in question and the related data restoring needs. This work is conducted in close collaboration with the customers in question.”