beebright - stock.adobe.com

Facilities firm ISS World crippled by ransomware attack

An apparent ransomware attack has compromised some IT and email systems at Danish facilities firm ISS World

Denmark-based facilities management firm ISS World has switched off its networks and disappeared from the web after suffering a suspected ransomware attack that has left hundreds of thousands of employees – including 43,000 in the UK – without access to their systems or email.

With 500,000 staff, making it one of the world’s largest private sector employers, ISS has operations in over 60 countries around the world. It provides building maintenance, janitorial services, office supplies, physical building security, catering and facilities management services to a large roster of enterprise clients. It makes revenues of approximately DKK75bn (£8.4bn) per annum.

ISS said the attack began on 17 February. “As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident,” a spokesperson said in a statement.

“The root cause has been identified and we are working with forensic experts, our hosting provider and a special external taskforce to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

“We are currently estimating when IT systems will be fully restored and are assessing any potential financial impact.

“Security, in all its forms, is a top priority for ISS, and we remain committed to protecting the integrity of our systems.”

Rajiv Arvind, ISS senior communications manager, told Computer Weekly that 70-80% of ISS staffers are frontline workers, meaning that most of the day-to-day customer-facing services it provides to its corporate clients are continuing as normal.

In the meantime, he added, the company is working flat-out to ascertain the cause of the attack. He said ISS wanted to be “150% sure” the danger had passed before reinstating business as usual.

Arvind would not, however, be drawn on whether or not ISS been targeted by the same criminal gang behind January’s Sodinokibi, or ReVIL, attacks on foreign exchange services provider Travelex, or German auto-parts distributor Gedia.

Besides Travelex and Gedia, the highly potent ransomware strain has been known to target services businesses, which across the world are emerging as particularly attractive targets to cyber criminals because, as elements of an organisation’s supply chain, they can provide an easy route into the IT systems of their customers.

US-based managed service provider (MSP) PercSoft, supplier of cloud data backup services Synoptek and datacentre operator CyrusOne are among those known to have fallen victim to Sodinokibi in recent months. It is important to note that ISS may not have been affected by Sodinokibi – many other ransomware strains are in circulation.

SonicWall president and CEO Bill Conner said he had observed these changing tactics around ransomware at first hand.

“Historically, the goal for most malware authors was the quantity of infections. Now we’re seeing attackers focus on fewer, higher-value targets, where they can spread laterally,” he said.

“This shift in tactics has also seen a corresponding rise in the ransom demands, as attackers attempt to make more money from fewer, but higher-value targets.”

A recent SonicWall report revealed that its global network of sensors and threat researchers detected a total of 187.8 million ransomware attacks in 2019.

Read more about ransomware

Read more on Hackers and cybercrime prevention