Data Breach: HR Consulting Giant Randstad Hit by Egregor Ransomware

 

Randstad NV, a multinational Human Resource consulting firm announced that they were hit by Windows Egregor ransomware. Ransomware operators while breaching the network of the staffing agency stole unencrypted files; 1% of which have been published by the threat actors as proof of the data breach. 
 
The data that has been made public is a 32.7MB archive which contains 184 files including legal documents, business files, accounting spreadsheets, and some financial reports. After the data was published by the ransomware operators, a security notification regarding the confirmation of the same was issued by Randstad. However, there is no clarity on whether the personal data of employees or clients was compromised during the attack. 

As per the sources, the attack impacted only a limited number of servers, disrupting their operations based in the US, France, Italy, and Poland. However, in other areas, the company continued its business operations without any interruption. 
 
Headquartered in Diemen, Netherlands, Randstad NV is a Dutch-based globally operated human resources giant that was founded in 1960 and currently operates in 39 countries and 5 continents. Reportedly, the company has trained over 350,000 candidates and helped around 2 million to find a job with their clients.

“Randstad NV (“Randstad”) recently became aware of malicious activity in its IT environment and an internal investigation into this incident was launched immediately with our 24/7 incident response team. Third-party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident,” Randstad disclosed. 
 
"To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France," reads the statement published by the firm. 
 
"They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties,"

First identified earlier this year in September, Egregor ransomware has been observed to be rapidly escalating its threat activity by breaking into organizations and running the malware to encrypt their sensitive data. The initial infection vector employed by the attackers is still unknown, however, security researchers have anticipated it to be malicious links or spam emails. Some similarities such as obfuscation techniques, API calls, strings, and functions have been spotted between Egregor and Sekhmet. The sources say that the ransom note left after the attack is also identical in many ways.