Ryuk ransomware is back: Epiq Global down due to unauthorized activity

Unauthorized investigation reveals that the international e-discovery company Epiq Global been hit by ransomware

Epiq's network infected by Ryuk ransomware

Epiq's network infected by Ryuk ransomware

The international e-discovery company Epiq Global was forced to take systems offline after the unauthorized activity.[1] Legal services giant got hit by Ryuk ransomware and malware started to encrypt data in devices throughout the network until it was put offline.[2] The outage affected customers since none of them could access documents needed for court cases and client deadlines.

The company stated that they got affected by the ransomware and took their system down to avoid the further spreading of the threat. The attack apparently affected all 80 offices and their computers of Epiq Global.[3] Officials reported[4] that IT teams and security experts work on getting all systems back online and secure:

On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation.

The ransomware attack started with a TrickBot malware infection

The fact that Ryuk ransomware was the malware responsible for the outage was not reported at first. Nevertheless, the fact about additional infection at the end of the last year revealed that it all started with TrickBot malware infiltration. A computer on the company’s network got infected with TrickBot in December 2019.

It is believed that Emotet Trojan was the one that loaded TrickBot on the system. Phishing emails and scams are one of the most common ways to spread Emotet that is mainly used for dropping additional threats. The person connected to the targeted network only needs to open the file attached to the email, and trojan infiltrates the machine and can act as it was designed to.

Once TrickBot gets installed it can record and steal various information like passwords, logins, files, cookies from the affected system. The malware then manages to spread through the network and gather more valuable data. Once that is done, TrickBot opens the doors for Ryuk ransomware operators and allows them to infect the network freely.  Ransomware can gain administrator rights, deploy malware scripts on the devices connected to the network, and use PowerShell Empire or PSExec.

Files encrypted and recovered: no data breach

Ryuk was deployed on February 29th when ransomware started to encrypt files on various computers connected to the infected network. Ransomware creates RyukReadMe.html in every folder, typically, and demands a ransom for the recovery of data marked using .RYUK extension.[5] 

While there is no particular information about the paid ransom, the company assured that their data was recovered using backups and that there is no information about the exfiltrated data. According to officials, customer data was not breached: 

As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.