Ryuk adds Epiq and EMCOR to the Victim List

The Ryuk ransomware continues to add high profile targets to its victim list. From the US Coast Guard to Fortune 500 companies, it would seem no company or organization is safe if the malware’s operators have the company in their sights. The latest to fall victim to a Ryuk infection is legal services and e-discovery firm Epiq. The company took its systems offline on March 2, 2020, after Ryuk began encrypting critical files. The news was initially broken on the same day by Robert Ambrogi who discovered the company’s corporate website was offline following a security incident.

With the coming going offline, users and the general public were unable to access e-discovery platforms hosted by the company. These platforms are used so that users can access relevant court documents and other legal papers.

ryuk adds epiq and emcor companies to it's vicim list

It was later confirmed by Epiq in a statement that they had indeed suffered a ransomware infection, stating

“On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation…Our technical team is working closely with world-class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible…Federal law enforcement authorities have also been informed and are involved in the investigation…As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.”

Little else is known about the incident, however, a source informed Bleeping Computer that the infection started with a TrickBot infection. The partnership between TrickBot and Ryuk was been active for over a year now. TrickBot is a modular trojan known for dropping other malware onto an infected machine once a backdoor is created. Further, TrickBot is known to search for and harvest sensitive information including passwords, files, and cookies before looking to spread laterally across a network. TrickBot is often seen been distributed via spam email campaigns spread via Emotet. Once TrickBot has harvested all the data it wants it creates a reverse shell which in turn allows for Ryuk’s operators to infect the machine. From the information provided by Bleeping Computer’s source, it is highly probable that the infection is indeed Ryuk as encrypted files contained the .RYK extension appended to them as well as the RyukReadMe.html ransom note dropped on the infected machine.

Fortune 500 Company EMCOR also suffers Ryuk Infection

Not even Fortune 500 companies are safe from Ryuk prying eyes. US-based Fortune 500 Company specializing in engineering and industrial construction services, EMCOR disclosed last month that the company had suffered a cybersecurity incident. Exact details of the attack have not been made public, however, the message announcing the ransomware infection is still present on the company's website almost three weeks after the attack with the attack occurring on February 15, 2020. In the statement made by the company, the offending piece of malware was Ryuk and certain IT systems were shut down to prevent further infection. The company also stated that there appeared to be no evidence of data theft. Further, the company has revised its 2020 earnings estimations to better reflect the downtime and damages caused by the incident.

This may be seen as a positive outcome given how Sodinokibi, Maze, Nemty, and DoppelPaymer have all been threatening to release stolen data if the ransom is not paid. It is important to note that at the time of writing Ryuk has not joined the club of ransomware operators combining data breach tactics.

So far 2020 has already seen interesting evolutions in ransomware tactics and this trend does not appear to be slowing down. In an article published by Bleeping Computer, it would appear that those behind ransomware infections are actively targeting backups found on infected machines. One of the best defenses against ransomware infections is by properly backing up important data regularly, however, if not configured properly this defensive measure can be a liability. In the article ransomware, developers note how cloud backups can be stolen and later used as leverage to help ensure payment of the ransom or the data will be leaked online.

Other malware authors are targeting backups for another reason. If your backups are not made immutable by specific add on software packages they can simply be deleted. This makes recovery from a ransomware attack far harder and far more costly. Further, this creates a greater need to pay the ransom as it might be the only way to recover data. To protect your backups Veeam, a popular backup software provider advises the following,

“Whether it is ultra-resilient backup data like S3-immutable backups in the cloud, encrypted backups on tape or encrypted backups on removable offline storage; customers need to have multiple copies of data. We have advocated for a long time the 3-2-1 Rule, which advocates having 3 different copies of data on 2 different media with one of them being off-site. Couple in 1 copy being on an ultra-resilient technique such as an immutable backup, offline backup or otherwise air-gapped; data can be protected against nearly any failure scenario – including ransomware. Additionally, Veeam also has a technology called Secure Restore; which will perform a threat scan with almost any tool to ensure that a restored system or data does not re-introduce a threat,”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal