Ransomware, Ryuk, and Risk: Beginning to Understand the Epic Attack on Epiq

According to Shyam Oza, Director of Product Management at Spanning, “The best way to protect your business from Ryuk is to avoid it. Avoidance comes when employees are educated in the matters of ransomware. Some employees do not receive the training, some do, and some know it all too well. Yet, human errors seem to be responsible for 90% of data breaches. Clearly, this tactic is not working.”

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: The recent ransomware attack on legal services and eDiscovery provider Epiq has accelerated cybersecurity awareness in the data discovery and legal discovery professional community. The acknowledged ransomware attack appears to have been initiated with a TrickBot infection that enabled the deployment of Ryuk ransomware. The following extracts share information and insight that may be useful to law firms, corporations, and service providers in the eDiscovery ecosystem seeking to learn more about ransomware, the Ryuk ransomware family, and to reduce the risk associated with ransomware attacks.

 

Update from Epiq Global – Statement (March 26, 2020)

Systems Restored – March 26, 2020

We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments. Further, we can confirm that Mandiant has found no evidence that any client data was accessed, misused, or exfiltrated. There has been no evidence of malicious activity in our system since March 1, 2020, and the attack did not impact our backup systems or data.

Read the complete article at Epiq Global


An extract from the U.S. Government Interagency Publication on Ransomware

Ransomware: What It Is and What To Do About It

What is Ransomware?

Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.

How do I protect my networks?

A commitment to cyber hygiene and best practices is critical to protecting your networks. Here are some questions you may want to ask of your organization to help prevent ransomware attacks:

  1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
  2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
  3. Staff Training: Have we trained staff on cybersecurity best practices?
  4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
  5. Application Whitelisting: Do we allow only approved programs to run on our networks?
  6. Incident Response: Do we have an incident response plan and have we exercised it?
  7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
  8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

How Do I Respond to Ransomware?

Implement your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove the ransomware threat to your systems and restore data and normal operations. In the meantime, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact law enforcement immediately. We encourage you to contact a local FBI or USSS field office immediately to report a ransomware event and request assistance. There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
  • Some victims who paid the demand have reported being targeted again by cyber actors.
  • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.

Read the complete document at Ransomware: What It Is and What To Do About It (PDF)


An extract from an article by Gabriela Nicolao and Luciano Martins

Virus Bulletin 2019 Paper: Shinigami’s Revenge: The Long Tail of the Ryuk Malware

Abstract

Ryuk is a ransomware family that, unlike regular ransomware, is tied to targeted campaigns where extortion may occur days or weeks after an initial infection. Ryuk was first observed in August 2018 and remains active as of July 2019 [and is still active].

Among its victims, we find companies from different industries, including newspapers, restaurants, public institutions, and a cloud service provider. Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns.

Ryuk bears a strong code resemblance to the Hermes ransomware and was likely developed and possibly distributed by the same threat actor(s). The code similarities found between Ryuk and Hermes – a payload that was allegedly linked to North Korean threat actors – led analysts initially to suspect that Ryuk was affiliated with the infamous Lazarus APT (Advance Persistent Threat) group. However, that attribution was discarded based on evidence that was collected from a dark web forum and the malware was later attributed to Russian-speaking actors possibly known as Grim Spider.

Ryuk Chronology

Ryuk is a crypto-ransomware that was first mentioned in a Tweet on 17 August 2018. It used ‘RyukReadMe.txt’ as a ransom note, hence the name. Ryuk is also the name of a fictional character known as Shinigami (God of Death) in a manga and anime series called Death Note.

At the time Ryuk was first reported, it had already hit three companies in different countries, and researchers pointed out that Ryuk was based on the infamous Hermes ransomware’s source code and that it used the same ransom note format as BitPaymer.

The Hermes ransomware was used by Lazarus, a North Korean-sponsored threat actor group active since 2009. Due to the attribution of Hermes to Lazarus, researchers believed that Ryuk was also related to Lazarus.

Read the complete paper at Shinigami’s Revenge: The Long Tail of the Ryuk Malware


An extract from an article by Shyam Oza via Spanning

Ryuk Ransomware

In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.

Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.

How Does Ryuk Work? 

Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.

Read the complete article at Ryuk Ransomware


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.



Check Out the New Approach Now!

Interested in Contributing?

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

New from NIST: Integrating Cybersecurity and Enterprise Risk Management (ERM)

NIST has released NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management...

A Cloudy Alliance? A Next-Generation Cloud for Europe

According to Thierry Breton, Commissioner for the Internal Market, "Europe needs...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

A Season of Change? Eighteen Observations on eDiscovery Business Confidence in the Fall of 2020

In the fall of 2020, 77.2% of eDiscovery Business Confidence Survey...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

A Season of Change? Eighteen Observations on eDiscovery Business Confidence in the Fall of 2020

In the fall of 2020, 77.2% of eDiscovery Business Confidence Survey...

The Continuing Case of Budgetary Constraints in the Business of eDiscovery

In the fall of 2020, 49.4% of respondents viewed budgetary constraints...

Outstanding Accounts? eDiscovery Operational Metrics in the Fall of 2020

In the fall of 2020, eDiscovery Business Confidence Survey more...

Holding the Rudder? Fall 2020 eDiscovery Business Confidence Survey Results

This is the twentieth quarterly eDiscovery Business Confidence Survey conducted by...

DISCO Raises $60 Million

According to the media release, DISCO will use this investment to...

Rampiva and the RYABI Group Merge

According to today's announcement, the RYABI Group merger is Rampiva's first...

eDiscovery Mergers, Acquisitions, and Investments in Q3 2020

From HaystackID and NightOwl Global to Reveal Data and NexLP, the...

Mitratech Acquires Acuity ELM

According to Mike Williams, CEO of Mitratech, “We came to the...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Five Great Reads on eDiscovery for August 2020

From predictive coding and artificial intelligence to antitrust investigations and malware,...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...