Ransomware, Ryuk, and Risk: Beginning to Understand the Epic Attack on Epiq

According to Shyam Oza, Director of Product Management at Spanning, “The best way to protect your business from Ryuk is to avoid it. Avoidance comes when employees are educated in the matters of ransomware. Some employees do not receive the training, some do, and some know it all too well. Yet, human errors seem to be responsible for 90% of data breaches. Clearly, this tactic is not working.”

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: The recent ransomware attack on legal services and eDiscovery provider Epiq has accelerated cybersecurity awareness in the data discovery and legal discovery professional community. The acknowledged ransomware attack appears to have been initiated with a TrickBot infection that enabled the deployment of Ryuk ransomware. The following extracts share information and insight that may be useful to law firms, corporations, and service providers in the eDiscovery ecosystem seeking to learn more about ransomware, the Ryuk ransomware family, and to reduce the risk associated with ransomware attacks.

 

Update from Epiq Global – Statement (March 26, 2020)

Systems Restored – March 26, 2020

We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments. Further, we can confirm that Mandiant has found no evidence that any client data was accessed, misused, or exfiltrated. There has been no evidence of malicious activity in our system since March 1, 2020, and the attack did not impact our backup systems or data.

Read the complete article at Epiq Global


An extract from the U.S. Government Interagency Publication on Ransomware

Ransomware: What It Is and What To Do About It

What is Ransomware?

Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.

How do I protect my networks?

A commitment to cyber hygiene and best practices is critical to protecting your networks. Here are some questions you may want to ask of your organization to help prevent ransomware attacks:

  1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
  2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
  3. Staff Training: Have we trained staff on cybersecurity best practices?
  4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
  5. Application Whitelisting: Do we allow only approved programs to run on our networks?
  6. Incident Response: Do we have an incident response plan and have we exercised it?
  7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
  8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

How Do I Respond to Ransomware?

Implement your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove the ransomware threat to your systems and restore data and normal operations. In the meantime, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact law enforcement immediately. We encourage you to contact a local FBI or USSS field office immediately to report a ransomware event and request assistance. There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
  • Some victims who paid the demand have reported being targeted again by cyber actors.
  • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.

Read the complete document at Ransomware: What It Is and What To Do About It (PDF)


An extract from an article by Gabriela Nicolao and Luciano Martins

Virus Bulletin 2019 Paper: Shinigami’s Revenge: The Long Tail of the Ryuk Malware

Abstract

Ryuk is a ransomware family that, unlike regular ransomware, is tied to targeted campaigns where extortion may occur days or weeks after an initial infection. Ryuk was first observed in August 2018 and remains active as of July 2019 [and is still active].

Among its victims, we find companies from different industries, including newspapers, restaurants, public institutions, and a cloud service provider. Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns.

Ryuk bears a strong code resemblance to the Hermes ransomware and was likely developed and possibly distributed by the same threat actor(s). The code similarities found between Ryuk and Hermes – a payload that was allegedly linked to North Korean threat actors – led analysts initially to suspect that Ryuk was affiliated with the infamous Lazarus APT (Advance Persistent Threat) group. However, that attribution was discarded based on evidence that was collected from a dark web forum and the malware was later attributed to Russian-speaking actors possibly known as Grim Spider.

Ryuk Chronology

Ryuk is a crypto-ransomware that was first mentioned in a Tweet on 17 August 2018. It used ‘RyukReadMe.txt’ as a ransom note, hence the name. Ryuk is also the name of a fictional character known as Shinigami (God of Death) in a manga and anime series called Death Note.

At the time Ryuk was first reported, it had already hit three companies in different countries, and researchers pointed out that Ryuk was based on the infamous Hermes ransomware’s source code and that it used the same ransom note format as BitPaymer.

The Hermes ransomware was used by Lazarus, a North Korean-sponsored threat actor group active since 2009. Due to the attribution of Hermes to Lazarus, researchers believed that Ryuk was also related to Lazarus.

Read the complete paper at Shinigami’s Revenge: The Long Tail of the Ryuk Malware


An extract from an article by Shyam Oza via Spanning

Ryuk Ransomware

In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.

Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.

How Does Ryuk Work? 

Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.

Read the complete article at Ryuk Ransomware


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.

This fictionalized branding approach was developed from the intellectual exercise of trying to figure out a reasonable and memorable way to descriptively highlight the promise and capabilities of offerings typically delivered by full-service eDiscovery providers. It may not be completely comprehensive or fully normalized. However, the hope of sharing this branding example is that it might help those involved in the branding and communication of eDiscovery provider services and solutions.

First Legal Acquires eDiscovery Provider Redpoint Technologies

According to Alex Martinez, CEO of First Legal, “Both First Legal...

Veristar Acquires Planet Data

According to Veristar company founder, CEO, and president Rick Avers, “We...

Questel Acquires doeLEGAL

doeLEGAL today announced that it has been acquired by intellectual property...

Following the Money? Mike Bryant Provides a SOLID Look at Legal Tech Merger and Acquisition Activity

From seed and venture capital investments to private equity and Special...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for February 2021

From litigation trends and legal tech investing to facial recognition and...

Five Great Reads on eDiscovery for January 2021

From eDiscovery business confidence and operational metrics to merger and acquisition...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

HaystackID Recognized in IDC MarketScape for eDiscovery Services

According to HaystackID CEO Hal Brooks, “We are proud to once...

A Generational View of Remote Security? HaystackID™ Releases 3.0 Security Enhancements to Review Technology

According to HaystackID's Senior Vice President and General Manager for Review...

Only a Matter of Time? HaystackID Launches New Service for Data Breach Discovery and Review

According to HaystackID's Chief Innovation Officer and President of Global Investigations,...

It’s a Match! Focusing on the Total Cost of eDiscovery Review with ReviewRight Match

As a leader in remote legal document review, HaystackID provides clients...

Cold Weather Catch? Predictive Coding Technologies and Protocols Survey – Spring 2021 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Out of the Woods? Eighteen Observations on eDiscovery Business Confidence in the Winter of 2021

In the winter of 2021, 85.0% of eDiscovery Business Confidence Survey...

Issues Impacting eDiscovery Business Performance: A Winter 2021 Overview

In the winter of 2021, 43.3% of respondents viewed budgetary constraints...

Not So Outstanding? eDiscovery Operational Metrics in the Winter of 2021

In the winter of 2021, eDiscovery Business Confidence Survey more...