The employment agency Randstad announced late last week that its IT systems had been breached by an Egregor ransomware attack. The company has since initiated an investigation into the incident to ascertain what data was accessed and stolen.
About Randstad NV
Randstad NV, commonly known as Randstad, is a Dutch multinational employment agency with offices in 38 markets around the world. The company was founded in 1960 and is headquartered in Diemen, in the Netherlands. It is named after the Randstad region of the Netherlands and employs over 38,000 people worldwide. In 2019, Randstad generated € 23.7 billion in revenue.
Randstad is also the owner of the employment website Monster.com. This website was created in 1999 through the merger of two websites, The Monster Board and the Online Career Center.
What was Stolen
Randstad announced on Thursday last week that its IT systems had been breached by an Egregor ransomware attack. Not much is yet known about the attack. However, Randstad has stated that only a limited number of their servers had been breached. Consequently, their network and business operations were able to continue working without disruption.
The company confirmed that the Egregor ransomware group had managed to obtain unauthorized access to its global IT systems. However, the full extent of the data stolen is not yet known. The personal data of employees and clients, as well as Randstad’s talent data could have been accessed and possibly stolen. At this stage, however, Randstad believe that only data related to their operations in the US, Poland, Italy and France may have been affected.
Since the attack, the Egregor group have leaked a zip archive file on the dark web. The archive file contained 184 files amounting to 38 MB of data. It is believed that it held accounting spreadsheets, financial reports, legal documents and other miscellaneous business documents.
To ensure no further data is leaked and to ascertain what has been stolen, Randstad have called in third-party cybersecurity and forensic experts. “They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties,” Randstad announced.
Egregor Ransomware Operations
According to news reports, the Egregor ransomware group that hit Randstad has been very active recently. In the last week the group has executed attacks against Vancouver’s transit system TransLink and Kmart. Other prominent Egregor hits include attacks on Cencosud, Crytek, Ubisoft and Barnes and Noble.
Egregor is a new organized ransomware-as-a-service (RaaS) operation. Such operations sell their ransomware as a platform tool to other malicious actors. They in turn use the RaaS ransomware software to hold computer files, information or systems hostage.
Egregor began operating in the middle of September 2020 after the prominent ransomware group Maze shutdown operations. It is believed that many of the affiliates that worked with Maze now work with Egregor. Consequently, the Egregor group was able to ramp up their operations very quickly.
Ransomware researcher Brett Callow of security firm Emsisoft, speaking to ITWire explained: “Egregor is rapidly racking up a long list of victims. In fact, their rate of ‘customer acquisition’ is quite unprecedented. This is likely not because they’re super-good or have been super-busy, but because Maze’s former partners have signed up to their affiliate program and taken a list of pre-comprised and ready-to-be-exploited networks with them.
“In fact, it may not only be Maze’s former partners who’ve moved across: Egregor may well have been created by the same set of criminals who created Maze (old ransomware operators never die, they simply rebrand – and then sell all the data they’d promised to destroy!).”