Eurofins ransomware attack affected UK police work

Eurofins, a global provider of scientific testing services, said on Monday that operations are returning to normal after the recent ransomware attack, but that its impact on their financial results “may unfortunately be material.”

Eurofins ransomware attack

“The investigations conducted so far by our internal and external IT forensics experts have not found evidence of any unauthorised theft or transfer of confidential client data,” the company added.

Nevertheless, the UK police has suspended all work with the company, which is believed to perform at least half of all the DNA analysis, toxicology, ballistics and computer forensics work for the police force.

About Eurofins

Headquartered in Brussels, Belgium, Eurofins provides food, agro, pharma, consumer product, environment, forensics, clinical diagnostics and other types of scientific testing services to companies and governments.

It runs a network of more than 800 laboratories across 47 countries in Europe, North and South America and Asia-Pacific, with a total of over 45,000 lab staff.

The company has opened an IoT security test lab in Groningen, Netherlands, just a few days before the attack.

About the attack

Eurofins was hit by (at the time) unknown ransomware during the first weekend of June.

The attack disrupted some of its IT systems and the company took offline many other systems and servers to minimize the damage, then proceeded to investigate the incident with the help of law enforcement agencies and IT forensics and security companies.

Eurofins claimed on June 10 that the attack patterns and information from law enforcement and independent cybersecurity experts lead them “to believe that this attack has been carried out by highly sophisticated well-resourced perpetrators.”

“The National Crime Agency is leading the criminal investigation into a recent cyber incident that has affected Eurofins Scientific, Rob Jones, Director of threat leadership at the NCA, shared on Friday.

“Specialist cyber-crime officers from the NCA are working with partners from the National Cyber Security Centre and the National Police Chief’s Council to mitigate the risks and assess the nature of this incident. We are securing evidence and forensically analysing infected computers, but due to the quantity of data involved and the complexity of these kinds of enquiries, this is an investigation which will take time, therefore we cannot comment further at this time.”

The company did not share which specific ransomware was the one that hit them, only that it is now detected by their IT security solutions. They also did not share which of its laboratories and sites have been affected, only that they are located in several countries.

“As Eurofins IT teams reacted promptly many of the Group’s companies were able to continue operating without impacting customers. Moreover, on Tuesday June 4th we were able to resume full or partial operations for a number of impacted companies and have continued to do so every day since then. As a result, as of Monday June 17th, the vast majority of affected laboratories’ operations had been restored,” the company explained on Monday.

“The production and reporting IT systems of essentially all those that remained became operational again during the past week. Restoration operations are continuing for some less important back office and software development systems as well as in a few companies (representing less than 2% of the Group’s revenues) some specific procedures required before restart of certain activities that are anticipated to be completed by end of next week.”

The effect of the attack

“The focus of our teams in the companies that were affected is to catch up on their work backlog and deliver the quality and speed of service our customers are used to getting from their Eurofins laboratory, and that they deserve,” the company noted.

They said that it is, so far, difficult to estimate how the attack impacted or will impact their financial results.

The National Police Chiefs’ Council (NPCC) said of Friday that “the attack suffered by Eurofins Scientific has affected the IT systems its Forensics subsidiary, Eurofins Forensics Services, which is based in the UK and is one of the primary forensic services providers (FSPs) to UK policing.”

As a result, the NPCC has temporarily suspended all law enforcement submissions to that subsidiary.

“Our priority – alongside the Association of Police and Crime Commissioners – is to minimise the impact on the criminal justice system. We have put our national contingency plans in place, which will see urgent submissions and priority work diverted to alternative suppliers to be dealt with as quickly as possible,” said the National Police Chiefs’ Council Lead for Forensics, Chief Constable James Vaughan.

“It is too early to fully quantify the impact but we are working at pace with partners to understand and mitigate the risks. We will share more information as soon as we can.”

The suspension was put in place on June 3, and the company has been instructed to return any casework that had not been started.