Sat. Aug 13th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    pt flag
    ru flag
    es flag

    Editor’s Note: The recent ransomware attack on legal services and eDiscovery provider Epiq has accelerated cybersecurity awareness in the data discovery and legal discovery professional community. The acknowledged ransomware attack appears to have been initiated with a TrickBot infection that enabled the deployment of Ryuk ransomware. The following extracts share information and insight that may be useful to law firms, corporations, and service providers in the eDiscovery ecosystem seeking to learn more about ransomware, the Ryuk ransomware family, and to reduce the risk associated with ransomware attacks.

     

    Update from Epiq Global – Statement (March 26, 2020)

    Systems Restored – March 26, 2020

    We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments. Further, we can confirm that Mandiant has found no evidence that any client data was accessed, misused, or exfiltrated. There has been no evidence of malicious activity in our system since March 1, 2020, and the attack did not impact our backup systems or data.

    Read the complete article at Epiq Global


    An extract from the U.S. Government Interagency Publication on Ransomware

    Ransomware: What It Is and What To Do About It

    What is Ransomware?

    Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.

    How do I protect my networks?

    A commitment to cyber hygiene and best practices is critical to protecting your networks. Here are some questions you may want to ask of your organization to help prevent ransomware attacks:

    1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
    2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
    3. Staff Training: Have we trained staff on cybersecurity best practices?
    4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
    5. Application Whitelisting: Do we allow only approved programs to run on our networks?
    6. Incident Response: Do we have an incident response plan and have we exercised it?
    7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
    8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

    How Do I Respond to Ransomware?

    Implement your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove the ransomware threat to your systems and restore data and normal operations. In the meantime, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

    Contact law enforcement immediately. We encourage you to contact a local FBI or USSS field office immediately to report a ransomware event and request assistance. There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:

    • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
    • Some victims who paid the demand have reported being targeted again by cyber actors.
    • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
    • Paying could inadvertently encourage this criminal business model.

    Read the complete document at Ransomware: What It Is and What To Do About It (PDF)


    An extract from an article by Gabriela Nicolao and Luciano Martins

    Virus Bulletin 2019 Paper: Shinigami’s Revenge: The Long Tail of the Ryuk Malware

    Abstract

    Ryuk is a ransomware family that, unlike regular ransomware, is tied to targeted campaigns where extortion may occur days or weeks after an initial infection. Ryuk was first observed in August 2018 and remains active as of July 2019 [and is still active].

    Among its victims, we find companies from different industries, including newspapers, restaurants, public institutions, and a cloud service provider. Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns.

    Ryuk bears a strong code resemblance to the Hermes ransomware and was likely developed and possibly distributed by the same threat actor(s). The code similarities found between Ryuk and Hermes – a payload that was allegedly linked to North Korean threat actors – led analysts initially to suspect that Ryuk was affiliated with the infamous Lazarus APT (Advance Persistent Threat) group. However, that attribution was discarded based on evidence that was collected from a dark web forum and the malware was later attributed to Russian-speaking actors possibly known as Grim Spider.

    Ryuk Chronology

    Ryuk is a crypto-ransomware that was first mentioned in a Tweet on 17 August 2018. It used ‘RyukReadMe.txt’ as a ransom note, hence the name. Ryuk is also the name of a fictional character known as Shinigami (God of Death) in a manga and anime series called Death Note.

    At the time Ryuk was first reported, it had already hit three companies in different countries, and researchers pointed out that Ryuk was based on the infamous Hermes ransomware’s source code and that it used the same ransom note format as BitPaymer.

    The Hermes ransomware was used by Lazarus, a North Korean-sponsored threat actor group active since 2009. Due to the attribution of Hermes to Lazarus, researchers believed that Ryuk was also related to Lazarus.

    Read the complete paper at Shinigami’s Revenge: The Long Tail of the Ryuk Malware


    An extract from an article by Shyam Oza via Spanning

    Ryuk Ransomware

    In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.

    Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.

    How Does Ryuk Work? 

    Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.

    Read the complete article at Ryuk Ransomware


    Additional Reading

    Source: ComplexDiscovery

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    The Tip of the Iceberg? New ENISA Report on Threat Landscape for Ransomware Attacks

    According to ENISA, this threat landscape report analyzed a total of...

    Consumers Paying the Price? Cost of a Data Breach Hits Record High According to New IBM Report

    According to IBM Security, the annual Cost of a Data Breach Report...

    Safeguarding ePHI? NIST Updates Guidance for Health Care Cybersecurity

    This new NIST Special Publication aims to help educate readers about...

    Countering Threat Actors? Using Social Network Analysis for Cyber Threat Intelligence (CCDCOE)

    According to the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)...

    Revenue Headwinds? KLDiscovery Inc. Announces Second Quarter 2022 Financial Results

    According to Christopher Weiler, CEO of KLDiscovery Inc, “The second quarter...

    Beyond Revenue? DISCO Announces Second Quarter 2022 Financial Results

    According to Kiwi Camara, Co-Founder and CEO of DISCO, “We are...

    Live with Leeds? Exterro Completes Recapitalization in Excess of $1 Billion

    According to the press release, with the support of a group...

    TCDI Completes Acquisition of Aon’s eDiscovery Practice

    According to TCDI Founder and CEO Bill Johnson, “We chose Aon’s...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for July 2022

    From lurking business undercurrents to captivating deepfake developments, the July 2022...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Five Great Reads on Cyber, Data, and Legal Discovery for May 2022

    From eDiscovery pricing and buyers to cyberattacks and incident response, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for April 2022

    From cyber attack statistics and frameworks to eDiscovery investments and providers,...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Changing Currents? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2022

    In the summer of 2022, 54.8% of survey respondents felt that...

    Challenging Variants? Issues Impacting eDiscovery Business Performance: A Summer 2022 Overview

    In the summer of 2022, 28.8% of respondents viewed increasing types...

    Downshift Time? eDiscovery Operational Metrics in the Summer of 2022

    In the summer of 2022, 65 eDiscovery Business Confidence Survey participants...

    Droning On? Ukraine Conflict Assessments in Maps (August 3 – 7, 2022)

    According to a recent update from the Institute for the Study...

    Assuaging Distress? Ukraine Conflict Assessments in Maps (July 29 – August 2, 2022)

    According to a recent update from the Institute for the Study...

    Momentum Challenges? Ukraine Conflict Assessments in Maps (July 24 – 28, 2022)

    According to a recent update from the Institute for the Study...

    Port Support? Ukraine Conflict Assessments in Maps (July 19 – 23, 2022)

    According to a recent update from the Institute for the Study...