{
	"id": "a17ad5bf-4912-4aa9-a64b-6c8de8faaaaf",
	"created_at": "2026-04-06T00:06:49.404389Z",
	"updated_at": "2026-04-10T03:21:32.590332Z",
	"deleted_at": null,
	"sha1_hash": "8c2f9a11bcd0bea8a6e448380e351ce609b9903e",
	"title": "SoftServe hit by ransomware, Windows customization tool exploited",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1003240,
	"plain_text": "SoftServe hit by ransomware, Windows customization tool exploited\r\nBy Lawrence Abrams\r\nPublished: 2020-09-10 · Archived: 2026-04-05 14:42:59 UTC\r\nUkrainian software developer and IT services provider SoftServe suffered a ransomware attack on September 1st that may\r\nhave led to the theft of customers' source code.\r\nWith over 8,000 employees and 50 offices worldwide, SoftServe is one of Ukraine's largest companies offering software\r\ndevelopment and IT consulting.\r\nNews about a cyberattack on SoftServe first began circulating on the 'Telegram DС8044 Kyiv Info' channel, where an\r\nalleged message sent by the company to employees was shared.\r\nhttps://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Today at 1AM in the morning SoftServe came under cyber attack. Attackers got access to company infrastructure and\r\nmanaged to launch encrypting ransomeware along with some other malware.\r\nWe have taken some of our services offline to stop spread of attack, unfortunately your work will be suffering from our\r\ncontainment steps in coming hours ...\r\nWe also blocked tunnels to our customers networks to avoid spread of malware to their infrastructure.\"\r\nIn a subsequent statement to Ukrainian technology news site AIN, SoftServe confirmed that a cyberattack had occurred that\r\ncaused them to disconnect their clients to prevent its spread.\r\n“Yes, there was an attack today. The most significant consequences of the attack are the temporary loss of functionality of a\r\npart of the mail system and the halt of some of the auxiliary test environments. As far as we can estimate, this is the greatest\r\nimpact of the attack, and other systems or client data were not affected.”\r\n\"To avoid the spread of the attack, we isolated some segments of our network and restricted communication with client\r\nnetworks. We are preparing a message to our clients about the situation. Simultaneously with the resumption of services, we\r\nare investigating the incident itself, so we are not ready to comment on who exactly did this,\" Adriyan Pavlikevich, Senior\r\nVice President of IT at SoftServe, told AIN.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731.\r\nAn incident report found today by security researcher MalwareHunterTeam and shared with BleepingComputer, confirms\r\nthat SoftServe suffered a ransomware attack.\r\nThis incident report states that the ransomware attack appended the \"*.s0fts3rve555-*** (like s0fts3rve555-76e9b8bf)\"\r\nextension to encrypted file's names.\r\nhttps://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nPage 3 of 5\n\nIt has not been confirmed, but this extension pattern  matches those used by the Defray ransomware, also known as\r\nRansomEXX, which was recently used against Konica Minolta.\r\nThe report also includes a PowerShell script used to find files that were changed during the attack, indicating that the attack\r\noccurred between 2 AM and 9 AM.\r\nPowerShell script\r\nBleepingComputer has contacted SoftServe with further questions about the attack but has not heard back.\r\nCustomers' source code allegedly stolen\r\nIn a later post to the DС8044 Telegram channel, links were shared to source code repositories that were allegedly stolen\r\nduring this attack,\r\nThese zip files are for projects that claim to be for Toyota, Panasonic, IBM, Cisco, ADT, WorldPay, and more.\r\nLeak of files allegedly stolen during SoftServe attack\r\n BleepingComputer has not independently confirmed whether this data belongs to SoftServe, but there are references to the\r\ncompany in some of the leaked source code repositories.\r\nWindows customization tool exploited in attack\r\nAccording to the SoftService incident report, the attackers exploited a DLL hijacking vulnerabilitie in the legitimate\r\nRainmeter application to deploy their ransomware.\r\nRainmeter is a legitimate Windows customization tool that loads a Rainmeter.dll when launched.\r\nhttps://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nPage 4 of 5\n\nDuring the attack, the threat actors replaced the legitimate Rainmeter.dll with a malicious version compiled from the source\r\ncode to deploy the ransomware.\r\n\"Distributed ransomware DLL(Rainmeter.dll ) compiled from legitime Rainmeter - a desktop customization tool for\r\nWindows. Malicious DLL loading from legitime EXE (used popular cyberattack method DLL side-loading) using additional\r\ninstruments like CobaltStrike Beacon, PowerShell, etc. Such technique is hard to detect by any antivirus as of now,\" the\r\nSoftServe incident report states.\r\nAccording to detections from VirusTotal, the Rainmeter.dll is identified as the backdoor Win32/PyXie.A.\r\nIn a 2019 report from BlackBerry, PyXie is a Python remote access trojan (RAT) known to exploit DLL hijacking\r\nvulnerabilities in other software such as LogMeIn and Google Update.\r\nBlackBerry researchers state that they have seen evidence that this RAT has been used in ransomware attacks.\r\n\"Analysts have observed evidence of the threat actors attempting to deliver ransomware to the healthcare and education\r\nindustries with PyXie,\" the report states.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nhttps://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/softserve-hit-by-ransomware-windows-customization-tool-exploited/"
	],
	"report_names": [
		"softserve-hit-by-ransomware-windows-customization-tool-exploited"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c2f9a11bcd0bea8a6e448380e351ce609b9903e.pdf",
		"text": "https://archive.orkl.eu/8c2f9a11bcd0bea8a6e448380e351ce609b9903e.txt",
		"img": "https://archive.orkl.eu/8c2f9a11bcd0bea8a6e448380e351ce609b9903e.jpg"
	}
}