On Monday, this blog broke the news that Epiq Global, the international e-discovery and managed services company, had taken its systems offline globally after becoming the target of a ransomware attack.
Now, new details are emerging about exactly what happened to force Epiq to shut down its systems.
The information security and technology news publication Bleeping Computer, citing a source in the cybersecurity industry, is reporting that Epiq was attacked by the Ryuk ransomware and that the company took its systems offline Saturday after the ransomware was deployed and began encrypting devices on its network.
According to the website Crowdstrike, Ryuk is specifically used to target large enterprises for high-ransom returns. Malwarebytes reports that the group behind Ryuk typically seeks ransoms in the range of $97,000 to $320,000.
Epiq has not said whether it has paid a ransom.
The Bleeping Computer report says that the attack against Epiq started in December when a computer on its network was infected with the TrickBot malware, probably through a phishing email.
TrickBot first harvests data from the compromised computer and then tries to spread throughout a network to gather more data. When done, it then opens a reverse shell to the Ryuk operators, who are able eventually to deploy the ransomware.
On Monday, Epiq told me that there was no evidence that the attack had resulted in any unauthorized transfer, misuse or exfiltration of any data. But security expert Brett Callow, says Epiq cannot really know that at this point.
Callow, a threat analyst with Emsisoft, a cybersecurity company that is also an associate partner in the No More Ransom Project, an initiative between multiple law enforcement agencies and the private sector, said only a full forensic investigation can determine whether data was compromised.
“Such comments are fairly typical, but they’re usually meaningless platitudes,” Callow said. “It’s like you walking into your burglarized home and, after briefly glancing around, saying, ‘Well, I don’t think anything was taken.’ Working out what did or did not happen during a ransomware incident requires a full forensic investigation that can take several weeks.”
Even so, Callow said that it is unlikely data was exfiltrated, because the Ryuk group is not known to be one that steals data.
For Callow, a major concern is that companies are not reporting or disclosing ransomware attacks. Delays in notifying customers that their data may have been breached can give criminals time to hit unsuspecting third parties with spear-phishing attacks and other forms of fraud.
“Folks’ tax returns and veterans’ PTSD claims are being posted online, and these people have no clue that they’re sitting ducks for identity thieves because the companies haven’t told them,” Callow said. “Similarly, I suspect that the groups are using the stolen data to spear phish other companies.”
Comparison to Coronavirus
David Carns, a former technology director at and technology consultant to law firms who is now chief revenue officer at Casepoint, said his company’s contracts with clients expressly provide that it will notify them of breaches.
He also agreed with Callow that the full implications of the attack cannot be determined without a full investigation. “There needs to be a full forensics investigation. We’ve learned long ago that, whenever there’s a crisis, declarations of success should be slow to come.”
Carns believes that ransomware attacks against e-discovery or legal technology companies are rare, especially against companies of the magnitude of Epiq. In fact, he says this is the first such attack he knows of involving a major SaaS e-discovery provider.
Still, Carns sees parallels between the current coronavirus crisis and the rise in ransomware attacks.
“The two have something in connection, in that they shed light on the need for good hygiene in general, and good cyber-hygiene in particular,” he said. “No system is immune from attack, but there are best practices that people can employ to improve one’s chances of good health.”
He urges law firms to look carefully at a vendor’s security policies. Too often, he suggested, companies tout their data center’s security ratings as evidence of their own — but security policies must apply also at the company level and even down to the file level.
As the Epiq incident demonstrates, it takes just one successful phishing attack to take down an entire network. For that reason, Carns said, companies need to emphasize regular and company-wide security training for all employees.
He also suggested that companies compartmentalize their data, so if an employee’s lack of diligence opens the door to an attack, it does not infect the entire system.
“The ransomware or malware has to have access to the files in order to encrypt them, in order to elicit a ransom,” Carns said. “If you make it so executables only have access at any one time to certain sets of data, then it can only attack those certain segments of your data.”
I asked Carns about the impact of a ransomware attack on the reputation of a company. He recalled the notorious 1982 murders in which over-the-counter bottles of Tylenol had been laced with poison. Manufacturer Johnson & Johnson not only survived the incidents, but gained praise as an example of how a major business should handle a disaster.
“This is something that can be survived by a good response, a proper response, and good remediation,” Carns said. “It’s in everyone’s interest to be forthcoming.”