Editor’s Note: The recent ransomware attack on legal services and eDiscovery provider Epiq has accelerated cybersecurity awareness in the data discovery and legal discovery professional community. The acknowledged ransomware attack appears to have been initiated with a TrickBot infection that enabled the deployment of Ryuk ransomware. The following extracts share information and insight that may be useful to law firms, corporations, and service providers in the eDiscovery ecosystem seeking to learn more about ransomware, the Ryuk ransomware family, and to reduce the risk associated with ransomware attacks.
Update from Epiq Global – Statement (March 26, 2020)
Systems Restored – March 26, 2020
We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments. Further, we can confirm that Mandiant has found no evidence that any client data was accessed, misused, or exfiltrated. There has been no evidence of malicious activity in our system since March 1, 2020, and the attack did not impact our backup systems or data.
An extract from the U.S. Government Interagency Publication on Ransomware
Ransomware: What It Is and What To Do About It
What is Ransomware?
Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted.
How do I protect my networks?
A commitment to cyber hygiene and best practices is critical to protecting your networks. Here are some questions you may want to ask of your organization to help prevent ransomware attacks:
- Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
- Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
- Staff Training: Have we trained staff on cybersecurity best practices?
- Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities?
- Application Whitelisting: Do we allow only approved programs to run on our networks?
- Incident Response: Do we have an incident response plan and have we exercised it?
- Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
- Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?
How Do I Respond to Ransomware?
Implement your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove the ransomware threat to your systems and restore data and normal operations. In the meantime, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.
Contact law enforcement immediately. We encourage you to contact a local FBI or USSS field office immediately to report a ransomware event and request assistance. There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:
- Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
- Some victims who paid the demand have reported being targeted again by cyber actors.
- After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
- Paying could inadvertently encourage this criminal business model.
An extract from an article by Gabriela Nicolao and Luciano Martins
Virus Bulletin 2019 Paper: Shinigami’s Revenge: The Long Tail of the Ryuk Malware
Ryuk is a ransomware family that, unlike regular ransomware, is tied to targeted campaigns where extortion may occur days or weeks after an initial infection. Ryuk was first observed in August 2018 and remains active as of July 2019 [and is still active].
Among its victims, we find companies from different industries, including newspapers, restaurants, public institutions, and a cloud service provider. Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns.
Ryuk bears a strong code resemblance to the Hermes ransomware and was likely developed and possibly distributed by the same threat actor(s). The code similarities found between Ryuk and Hermes – a payload that was allegedly linked to North Korean threat actors – led analysts initially to suspect that Ryuk was affiliated with the infamous Lazarus APT (Advance Persistent Threat) group. However, that attribution was discarded based on evidence that was collected from a dark web forum and the malware was later attributed to Russian-speaking actors possibly known as Grim Spider.
Ryuk is a crypto-ransomware that was first mentioned in a Tweet on 17 August 2018. It used ‘RyukReadMe.txt’ as a ransom note, hence the name. Ryuk is also the name of a fictional character known as Shinigami (God of Death) in a manga and anime series called Death Note.
At the time Ryuk was first reported, it had already hit three companies in different countries, and researchers pointed out that Ryuk was based on the infamous Hermes ransomware’s source code and that it used the same ransom note format as BitPaymer.
The Hermes ransomware was used by Lazarus, a North Korean-sponsored threat actor group active since 2009. Due to the attribution of Hermes to Lazarus, researchers believed that Ryuk was also related to Lazarus.
An extract from an article by Shyam Oza via Spanning
In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.
Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.
How Does Ryuk Work?
Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.
An extract from an article by Lawrence Abrams
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Epiq Global’s attack started with a TrickBot infection
Today a source in the cybersecurity industry exclusively shared information with BleepingComputer that sheds light on how Epiq Global became infected.
In December 2019, a computer on Epiq’s network became infected with the TrickBot malware.
TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails.
Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data.
When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.
The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec.
In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.
While Ryuk is considered a secure ransomware without any weaknesses in its encryption, Emsisoft’s Brett Callow has told BleepingComputer that there may be a slight chance they can help recover files encrypted by the Ryuk ransomware.
“Companies affected by Ryuk should contact us. There is a small – very small – chance that we may be able to help them recover their data without needing to pay the ransom,” Callow told BleepingComputer.com.
While the chances are very small, if your devices are encrypted by the Ryuk Ransomware it does not hurt to check with Emsisoft.
BleepingComputer has reached out to Epiq with further questions about this attack, but have not heard back at this time.
- An Epiq Ransomware Attack Hits Legal Services Leader
- The Intersection of International Law and Cyber Operations: An Interactive Cyber Law Toolkit