Cyber Incident Victim: SoftServe
Date:
Sep 2020
Location:
Ukraine
Summary
SoftServe, a Ukrainian software developer and IT services provider, suffered a ransomware attack involving DLL hijacking through the Rainmeter Windows customization tool, where attackers replaced its legitimate DLL with a malicious version to deploy ransomware and auxiliary malware like the PyXie RAT and CobaltStrike Beacon. The incident caused encrypted files with a specific extension, temporary mail system outages, disruption of auxiliary test environments, and precautionary disconnections from client networks to prevent further spread, though the company stated client data remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 1, 2020, Ukrainian software development and IT services firm SoftServe suffered a ransomware attack beginning at approximately 1:00 AM local time. Attackers compromised the company's infrastructure, deploying encrypting ransomware and additional malware. SoftServe responded by taking affected services offline to contain the attack's spread, acknowledging these measures would disrupt employee workflows in subsequent hours. The company proactively severed network tunnels connecting to client infrastructures to prevent malware propagation to customer environments. Initial internal communications shared via Telegram channels indicated significant operational disruption, though SoftServe's Senior Vice President of IT Adriyan Pavlikevich later characterized the most severe impacts as temporary mail system dysfunctionality and the suspension of auxiliary test environments. Forensic evidence from an incident report obtained by security researchers indicated file encryption with the distinctive "*.s0fts3rve555-***" extension, a pattern consistent with Defray ransomware (also known as RansomEXX), though this attribution remained unconfirmed.
Technical analysis revealed attackers exploited a DLL hijacking vulnerability in Rainmeter, a legitimate Windows desktop customization tool. Threat actors replaced Rainmeter's legitimate Rainmeter.dll file with a malicious version compiled from source code, enabling deployment of ransomware through DLL side-loading—a technique leveraging trusted executables to evade detection. The malicious DLL functioned as the Win32/PyXie.A backdoor, a Python-based remote access trojan historically associated with attacks against healthcare and education sectors. Attackers supplemented this with tools including Cobalt Strike Beacon and PowerShell scripts, with forensic timestamps indicating active compromise between 2:00 AM and 9:00 AM. SoftServe maintained that client data remained unaffected despite source code theft concerns raised in initial reports. The company's public statements emphasized containment success through infrastructure isolation while acknowledging service degradation in email and testing systems during recovery operations.