Ryuk ransomware hits Fortune 500 company EMCOR, a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems. The incident from 15th Feb 2020 was identified as Ryuk ransomware. Details of the attack and the aftermath are not yet public, but the message announcing the ransomware infection is still present on the company’s website almost three weeks after the attack. EMCOR said that not all of its systems were impacted and that only “certain IT systems” were affected, which it promptly shut down to contain the infection. The company said it was restoring services, but did not specify if it paid the ransom demand or if it was restoring from backups.
Ryuk #ransomware hits industrial construction services Emcorhttps://t.co/pdjLDgDuGA
— Secure Networkers (@SecureNetIT) March 3, 2020
Ransomware, or any malware, can’t just magically appear on your systems. It needs some kind of mechanism for deployment, usually an unpatched vulnerability, misconfiguration or successful phishing. Building a solid foundation is the best place to start for an effective defence. That means putting in place and managing secure configurations for the assets in your environment. In order for this control to be effective, you must be able to define what a secure configuration is for those assets, and you have to be able to validate that an asset is configured to meet that standard.
If you don’t start with secure configurations, then you are simply leaving the door open for malware. In the context of prioritising the protection of the most likely entry points, organisations should also invest in phishing training programmes, as the human factor remains cybercriminals’ preferred target to gain a foothold into the environment. Ultimately, the benefits of having solid foundational controls in place and a well-rehearsed incident response plan far outweigh the risk of a small disruption to business operations that the implementation may require.
This is an example of what looks to be a better security practice than what we have seen from similar cases recently. The infection while gaining a foothold failed to hit the entire digital estate, meaning a single set of credentials or access did not grant the attackers a global reach. This shows once again that in-depth defense actually pays off when things go wrong.
The rubber hits the Wall Street road when Fortune 500 companies start readjusting earnings due to cyber attacks, as there is nothing that will get the attention of board members and investors more than an assault on revenues. EMCOR is not your average mom and pop company that crime groups are focusing on more and more. This is a Fortune 500 enterprise with more than 30,000 employees, $10 billion in revenues and the best security team and tools in place to combat the daily challenges presented by threat actors. EMCOR\’s disclosure is a stark reminder that the biggest and most secure organisations need incident response teams in place to deal with the persistent risk to proprietary information and customer and partner data that is all too often ending up in the hands of criminals. While a lot of the details specific to this threat haven\’t been disclosed EMCOR\’s security team has likely saved the company from more damage and pain.
Overall, Ryuk ransomware is a real threat to organisations as Cybereason\’s Nocturnus team discovered with its Triple Threat research. Global 1000 organisations need security awareness training plans and incident response and threat hunting teams working constantly to stay ahead of hackers. Suggested remediation measures include:
Educate employees on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware.
In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organisation.
Proactively approach security by performing hunts and searching for suspicious behaviour before an incident starts.
Ransomware continues to be a popular tool for cybercriminals. The diabolical simplicity of ransomware is that the attacker first locks up information, then sells it back to the one organisation where it has the most value–the victim.
Several defences reduce the risk of a ransomware attack:
Security education can help users be savvy about the dangers of phishing and other common attacks. If just one user knows better than to click on a bad link in an email, it could make all the difference.
Traditional reactive defences such as intrusion prevention systems and antivirus software can block known malware. However, they will be powerless against new types of threats.
Keeping operating systems and applications up to date makes it much more difficult for ransomware to take root and spread within your organisation.
The knockout punch for ransomware is as plain as dirt–regular backups. If you plan and execute a consistent and comprehensive backup of your data, you can laugh in the face of your ransomware captor, restore from your latest backup, and experience minimal disruption to your business.
If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.”
Ransomware operations are thorough, complete, and usually totally devastating. The operators of Ryuk in particular are relentless and efficient. They don\’t have to change tactics very often. Some threat communities have figured out the formula to monetize their operations and some are still testing out the waters. Yet the threat communities share. Where you see Emotet, you will see TrickBot, and then you\’ll see Ryuk. Next week or month you may also start to see Dridex and then BitPaymer or DoppelPaymer ransomwares. This is because the threat communities share information about their ransoms. They brood and learn in marketplaces.
The threat actors cast a large net in order to find organizations that are likely to pay. Each threat actor will compromise as many orgs as they can using automated scripts for phishing (or Remote Desktop public scans) with long lists of email addresses or domain names. After establishing a foothold using Emotet, Dridex, or RDP, the crown jewels are identified simply by type and location, for example CAD files on a file server share. The goal is to get the org to pay up. Once paid, then plans are put in to squeeze more ransoms out. Often broader threat communities and more threat actors will be brought in to accomplish this squeezing activity.
What we are finding is that not all ransomware is created equal. Yes, new ransomware such as Nemty and PwndLocker will make the headlines, but Nemty is thought to come from ransomware operators who promote advanced tactics. Both of these might fully monetize their Ransomware-as a Service (RaaS) activities — PwndLocker may even make more money in the short-term. The effects from Nemty by comparison, however, can be harder both to the individual org and to the overall industry because previous campaigns have included evidence scrubbing capabilities. Thus, when Ryuk and DoppelPaymer have both broke loose, Nemty, REvil, or GandCrab could be hiding their tracks in that same environment.