The Ransomware Attack on Epiq Global has New Details
Ransomware Hits Against Epiq Attacks Web & Managed Services
Ryuk ransomware attacked the web services and discovery firm last week, causing it to have its systems taken offline. Ryuk is well-known for its destructive crypto-ransomware that encrypts victims’ files and blocks access until they pay the ransom.
Ryuk attackers will demand that the victim agrees to the demands.
On March 2, a legal reporter reported that Epiq had taken their systems offline due to Ryuk ransomware having encrypted their devices. Epiq’s legal clients couldn’t access their files or documents through their eDiscovery platforms. These files were critical for court cases and other deadlines.
Epiq released a statement saying that they had taken their systems offline to stop the threat from getting worse.
“On February 29, we discovered unauthorized activity on the systems. This was confirmed to be a ransomware-related attack. We immediately shut down our global systems to stop the threat. To investigate further, we partnered with an independent forensic firm.
Our technical team works closely with third-party experts of world-class quality to resolve this issue and get our systems back online as soon as possible.
Federal law enforcement agencies have been also informed and are participating in the investigation.
The company’s top priority is to protect client and employee data. We have no evidence that any data has been unauthorized transferred, misused, or exfiltrated.
Later that day, reports revealed that all 80 Epiq global offices and computers were affected.
How Ryuk Invaded Epiq
TrickBot malware infected an Epiq computer at the end of December last year. TrickBot Trojan can be downloaded from the Internet via an Emotet email.
TrickBot malware steals passwords and cookies from victim computers and then infiltrates the network laterally, gaining more data as it goes. TrickBot then can open up access to the attackers by using a reverse shell. The Ryuk operators can then gain access to infected computers. They can spy on the network and perform activities like continuing to steal administrator credentials. They then use PowerShell Empire and PSExec, to install ransomware on the network devices.
Epiq was hacked by bad actors who distributed Ryuk ransomware via Epiq’s network Saturday, February 29, 2020. The ransomware began the process of encrypting files and data on the affected computers. A ransom note, RyukReadMe.html is created during encryption and placed in each folder. Each encrypted file is given a.RYK extension.
Some Habits of Ryuk Threat Actors
Ryuk is a ransomware that has been in existence since August 2018, but it has gained a growing reputation for being a dangerous and terrifying threat since Christmas 2018. Ryuk has been around since August 2018, but it’s gaining a growing fearsome reputation since Christmas 2018.
Ryuk is known for targeting large enterprises and seeking ransom money. Malwarebytes says Ryuk’s attackers are known to seek ransoms in the range of $97-$320K. We wrote In 2019, The Year of Rising Ransomware Ryuk Wields Its Own Unique Nastiness in December 2019. This type of campaign is often rolled out in stages. We described it as the case with this particular one. They want to obtain user credentials that will allow them to access the network and then view the asset landscape. The next steps usually involve spying once inside the network and data encryption, and finally the ransom demand and extortion.
These are the exact steps that Ryuk operators were said to have taken in attacking Epiq.
The Fall Out Must Be Seen
According to Emsisoft threat analyst Brett Callow, Epiq said that there is no evidence that the attack resulted “in any unauthorized transfer misuse or exfiltration of any data.” But, Callow warns that it’s impossible to determine the data’s state without conducting a thorough forensic investigation. Even if the attackers are present for a long time (dwell time), a cursory evaluation cannot reveal if there was an underlying compromise. Callow states that it is unlikely that data was stolen, as the Ryuk group isn’t known to steal data.
Customers may not be notified immediately if a ransomware attack has occurred. Companies aren’t required to disclose this information. Customers who are not informed about ransomware attacks are more at risk than others.
To take down Epiq’s entire network, attackers only needed to perform one phishing attack. Network security and health must be a priority. It is foolish to rely on third-party security, such as the cloud provider or data center. Companies should also recommend that they segment their data so that any infected areas are contained and cannot spread to other parts of the network. This sounds very similar to the virus problems that every citizen has these days.
Emsisoft offers a Small Chance for a Remedy
Epiq has not yet disclosed if they paid the ransom. Emsisoft may be able to assist them and others in similar situations last year. They said that there is a chance they might be able to recover files encrypted by Ryuk.
How does Virsec help businesses protect themselves from Ryuk?
While the defense is important, the offense is more important. Any offer of help is appreciated in a difficult situation. It is better to not have your files encrypted at all than to try to find a way to decrypt ransomed ones.
Steps to Block Ransomware
- Use the best security practices
- Inform your employees about phishing. This is perhaps the most preventative measure that you can take.
- Two-factor authentication can be enabled on network devices and systems
- Use strong passwords and regular updates to ensure you adhere to the password management policy
- Your security standards should be followed by third-party vendors
- Protect your network from access by installing a reliable backup and recovery system
- Protect memory and applications
Protecting Apps – Virsec’s Innovative and Effective Application, Runtime, and Memory Protection
Virsec uses a unique approach for protecting your applications from cyberattacks, including ransomware.
Only Virsec Security Platform Delivers
- Protection of runtime processes, files, applications, workflows, memory, libraries, and other file systems
- Automated attack mitigation and remediation early in the attack cycle, without expert analysis or machine learning
Deterministic threat detection is based on request deviations initiated via malicious code, remote hackers, and files, regardless of how the attacks originated.