A cybercriminal group breached the IT systems of Randstad, one of the largest head-hunting companies in the world, and published some internal corporate data in an apparent extortion attempt, the firm said Thursday.
Netherlands-based Randstad pointed the finger at the criminal gang behind Egregor, a nascent type of ransomware that’s struck multiple organizations in recent weeks. The attackers gained access “to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France,” Randstad said in a press release. “A limited number of servers were impacted.”
Randstad, which employed more than 38,000 people last year and reported more than $28 billion in revenue, said it was still identifying what data had been accessed. Law enforcement and third-party investigators are also involved in the matter, the company said.
“We believe the incident started with a phishing email that initiated malicious software to be installed,” a Randstad spokesperson said in an email. “We have not yet received a ransom note or any direct communication from Egregor.”
“Our systems have continued running without interruption and there has not been any disruption to our operations,” the Randstad spokesperson added.
The cybercriminal group published corporate data that appeared to include legal documents and financial reports.
Since emerging in mid-September, the Egregor ransomware has reportedly been used in cyberattacks on major retailers like Barnes & Noble and Kmart, and on the Vancouver metro system’s transportation authority, which on Thursday confirmed a ransomware attack on its IT systems that caused problems with card payments.
Like so many ransomware gangs in 2020, Egregor is using the one-two punch of stealing and encrypting files to maximize their leverage in ransom negotiations, according to Recorded Future, another security company. The Egregor operatives typically give victims three days to pay before leaking additional data, the company said.
“The Egregor ransomware is a complex piece of malware, employing obfuscation and anti-analysis techniques,” Recorded Future said in an analysis this week. “In order to fully decrypt and deploy the payload, the password associated with the sample must be provided at runtime.”
Bleeping Computer reported the news earlier Friday.