The Ryuk ransomware continues to add high profile targets to its victim list. From the US Coast Guard to Fortune 500 companies, it would seem no company or organization is safe if the malware’s operators have the company in their sights. The latest to fall victim to a Ryuk infection is legal services and e-discovery firm Epiq. The company took its systems offline on March 2, 2020, after Ryuk began encrypting critical files. The news was initially broken on the same day by Robert Ambrogi who discovered the company’s corporate website was offline following a security incident.
With the coming going offline, users and the general public were unable to access e-discovery platforms hosted by the company. These platforms are used so that users can access relevant court documents and other legal papers.
It was later confirmed by Epiq in a statement that they had indeed suffered a ransomware infection, stating
“On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation…Our technical team is working closely with world-class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible…Federal law enforcement authorities have also been informed and are involved in the investigation…As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.”
Little else is known about the incident, however, a source informed Bleeping Computer that the infection started with a TrickBot infection. The partnership between TrickBot and Ryuk was been active for over a year now. TrickBot is a modular trojan known for dropping other malware onto an infected machine once a backdoor is created. Further, TrickBot is known to search for and harvest sensitive information including passwords, files, and cookies before looking to spread laterally across a network. TrickBot is often seen been distributed via spam email campaigns spread via Emotet. Once TrickBot has harvested all the data it wants it creates a reverse shell which in turn allows for Ryuk’s operators to infect the machine. From the information provided by Bleeping Computer’s source, it is highly probable that the infection is indeed Ryuk as encrypted files contained the .RYK extension appended to them as well as the RyukReadMe.html ransom note dropped on the infected machine.
Fortune 500 Company EMCOR also suffers Ryuk Infection
Not even Fortune 500 companies are safe from Ryuk prying eyes. US-based Fortune 500 Company specializing in engineering and industrial construction services, EMCOR disclosed last month that the company had suffered a cybersecurity incident. Exact details of the attack have not been made public, however, the message announcing the ransomware infection is still present on the company's website almost three weeks after the attack with the attack occurring on February 15, 2020. In the statement made by the company, the offending piece of malware was Ryuk and certain IT systems were shut down to prevent further infection. The company also stated that there appeared to be no evidence of data theft. Further, the company has revised its 2020 earnings estimations to better reflect the downtime and damages caused by the incident.
This may be seen as a positive outcome given how Sodinokibi, Maze, Nemty, and DoppelPaymer have all been threatening to release stolen data if the ransom is not paid. It is important to note that at the time of writing Ryuk has not joined the club of ransomware operators combining data breach tactics.
So far 2020 has already seen interesting evolutions in ransomware tactics and this trend does not appear to be slowing down. In an article published by Bleeping Computer, it would appear that those behind ransomware infections are actively targeting backups found on infected machines. One of the best defenses against ransomware infections is by properly backing up important data regularly, however, if not configured properly this defensive measure can be a liability. In the article ransomware, developers note how cloud backups can be stolen and later used as leverage to help ensure payment of the ransom or the data will be leaked online.
Other malware authors are targeting backups for another reason. If your backups are not made immutable by specific add on software packages they can simply be deleted. This makes recovery from a ransomware attack far harder and far more costly. Further, this creates a greater need to pay the ransom as it might be the only way to recover data. To protect your backups Veeam, a popular backup software provider advises the following,
“Whether it is ultra-resilient backup data like S3-immutable backups in the cloud, encrypted backups on tape or encrypted backups on removable offline storage; customers need to have multiple copies of data. We have advocated for a long time the 3-2-1 Rule, which advocates having 3 different copies of data on 2 different media with one of them being off-site. Couple in 1 copy being on an ultra-resilient technique such as an immutable backup, offline backup or otherwise air-gapped; data can be protected against nearly any failure scenario – including ransomware. Additionally, Veeam also has a technology called Secure Restore; which will perform a threat scan with almost any tool to ensure that a restored system or data does not re-introduce a threat,”