Cybersecurity Experts On Ryuk Ransomware Hits Fortune 500 Company EMCOR

Ryuk ransomware hits Fortune 500 company EMCOR, a US-based Fortune 500 company specialized in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems. The incident from 15th Feb 2020 was identified as Ryuk ransomware. Details of the attack and the aftermath are not yet public, but the message announcing the ransomware infection is still present on the company’s website almost three weeks after the attack. EMCOR said that not all of its systems were impacted and that only “certain IT systems” were affected, which it promptly shut down to contain the infection. The company said it was restoring services, but did not specify if it paid the ransom demand or if it was restoring from backups.

Experts Comments

March 06, 2020
Paul Edon
Senior Director (EMEA)
Tripwire
Ransomware, or any malware, can’t just magically appear on your systems. It needs some kind of mechanism for deployment, usually an unpatched vulnerability, misconfiguration or successful phishing. Building a solid foundation is the best place to start for an effective defence. That means putting in place and managing secure configurations for the assets in your environment. In order for this control to be effective, you must be able to define what a secure configuration is for those assets,.....Read More
Ransomware, or any malware, can’t just magically appear on your systems. It needs some kind of mechanism for deployment, usually an unpatched vulnerability, misconfiguration or successful phishing. Building a solid foundation is the best place to start for an effective defence. That means putting in place and managing secure configurations for the assets in your environment. In order for this control to be effective, you must be able to define what a secure configuration is for those assets, and you have to be able to validate that an asset is configured to meet that standard. If you don’t start with secure configurations, then you are simply leaving the door open for malware. In the context of prioritising the protection of the most likely entry points, organisations should also invest in phishing training programmes, as the human factor remains cybercriminals’ preferred target to gain a foothold into the environment. Ultimately, the benefits of having solid foundational controls in place and a well-rehearsed incident response plan far outweigh the risk of a small disruption to business operations that the implementation may require.  Read Less
March 06, 2020
Martin Jartelius
CSO
Outpost24
This is an example of what looks to be a better security practice than what we have seen from similar cases recently. The infection while gaining a foothold failed to hit the entire digital estate, meaning a single set of credentials or access did not grant the attackers a global reach. This shows once again that in-depth defense actually pays off when things go wrong.
March 06, 2020
Sam Curry
Chief Security Officer
Cybereason
The rubber hits the Wall Street road when Fortune 500 companies start readjusting earnings due to cyber attacks, as there is nothing that will get the attention of board members and investors more than an assault on revenues. EMCOR is not your average mom and pop company that crime groups are focusing on more and more. This is a Fortune 500 enterprise with more than 30,000 employees, $10 billion in revenues and the best security team and tools in place to combat the daily challenges presented.....Read More
The rubber hits the Wall Street road when Fortune 500 companies start readjusting earnings due to cyber attacks, as there is nothing that will get the attention of board members and investors more than an assault on revenues. EMCOR is not your average mom and pop company that crime groups are focusing on more and more. This is a Fortune 500 enterprise with more than 30,000 employees, $10 billion in revenues and the best security team and tools in place to combat the daily challenges presented by threat actors. EMCOR's disclosure is a stark reminder that the biggest and most secure organisations need incident response teams in place to deal with the persistent risk to proprietary information and customer and partner data that is all too often ending up in the hands of criminals. While a lot of the details specific to this threat haven't been disclosed EMCOR's security team has likely saved the company from more damage and pain. Overall, Ryuk ransomware is a real threat to organisations as Cybereason's Nocturnus team discovered with its Triple Threat research. Global 1000 organisations need security awareness training plans and incident response and threat hunting teams working constantly to stay ahead of hackers. Suggested remediation measures include: Educate employees on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware. In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organisation. Proactively approach security by performing hunts and searching for suspicious behaviour before an incident starts.  Read Less
March 06, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
Ransomware continues to be a popular tool for cybercriminals. The diabolical simplicity of ransomware is that the attacker first locks up information, then sells it back to the one organisation where it has the most value--the victim. Several defences reduce the risk of a ransomware attack: Security education can help users be savvy about the dangers of phishing and other common attacks. If just one user knows better than to click on a bad link in an email, it could make all the.....Read More
Ransomware continues to be a popular tool for cybercriminals. The diabolical simplicity of ransomware is that the attacker first locks up information, then sells it back to the one organisation where it has the most value--the victim. Several defences reduce the risk of a ransomware attack: Security education can help users be savvy about the dangers of phishing and other common attacks. If just one user knows better than to click on a bad link in an email, it could make all the difference. Traditional reactive defences such as intrusion prevention systems and antivirus software can block known malware. However, they will be powerless against new types of threats. Keeping operating systems and applications up to date makes it much more difficult for ransomware to take root and spread within your organisation. The knockout punch for ransomware is as plain as dirt--regular backups. If you plan and execute a consistent and comprehensive backup of your data, you can laugh in the face of your ransomware captor, restore from your latest backup, and experience minimal disruption to your business. If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.”  Read Less
March 06, 2020
Andre Gironda
VP
Cerberus Sentinel
Ransomware operations are thorough, complete, and usually totally devastating. The operators of Ryuk in particular are relentless and efficient. They don't have to change tactics very often. Some threat communities have figured out the formula to monetize their operations and some are still testing out the waters. Yet the threat communities share. Where you see Emotet, you will see TrickBot, and then you'll see Ryuk. Next week or month you may also start to see Dridex and then BitPaymer or.....Read More
Ransomware operations are thorough, complete, and usually totally devastating. The operators of Ryuk in particular are relentless and efficient. They don't have to change tactics very often. Some threat communities have figured out the formula to monetize their operations and some are still testing out the waters. Yet the threat communities share. Where you see Emotet, you will see TrickBot, and then you'll see Ryuk. Next week or month you may also start to see Dridex and then BitPaymer or DoppelPaymer ransomwares. This is because the threat communities share information about their ransoms. They brood and learn in marketplaces. The threat actors cast a large net in order to find organizations that are likely to pay. Each threat actor will compromise as many orgs as they can using automated scripts for phishing (or Remote Desktop public scans) with long lists of email addresses or domain names. After establishing a foothold using Emotet, Dridex, or RDP, the crown jewels are identified simply by type and location, for example CAD files on a file server share. The goal is to get the org to pay up. Once paid, then plans are put in to squeeze more ransoms out. Often broader threat communities and more threat actors will be brought in to accomplish this squeezing activity. What we are finding is that not all ransomware is created equal. Yes, new ransomware such as Nemty and PwndLocker will make the headlines, but Nemty is thought to come from ransomware operators who promote advanced tactics. Both of these might fully monetize their Ransomware-as a Service (RaaS) activities -- PwndLocker may even make more money in the short-term. The effects from Nemty by comparison, however, can be harder both to the individual org and to the overall industry because previous campaigns have included evidence scrubbing capabilities. Thus, when Ryuk and DoppelPaymer have both broke loose, Nemty, REvil, or GandCrab could be hiding their tracks in that same environment.  Read Less
March 06, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Details around the actual impact of the ransomware and affected systems is scarce, but it is important to note that the adjustment of Q4 earning numbers as a result of the attack should not be underestimated. For many organisations across industries such as manufacturing, there isn't usually a viable backup procedure to fallback on if IT systems are taken offline. This is why the impact on such organisations is far greater, even if they do have backups. Therefore, this becomes an even more.....Read More
Details around the actual impact of the ransomware and affected systems is scarce, but it is important to note that the adjustment of Q4 earning numbers as a result of the attack should not be underestimated. For many organisations across industries such as manufacturing, there isn't usually a viable backup procedure to fallback on if IT systems are taken offline. This is why the impact on such organisations is far greater, even if they do have backups. Therefore, this becomes an even more important case of prevention being far better than cure. This prevention can be helped by a multi-layered approach which includes patching vulnerable public-facing systems, enforcing strong passwords with multi factor authentication, and providing regular and timely security awareness and training to all employees to allow them to better recognise attacks and to spread a culture of security throughout the organisation.  Read Less
March 06, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
This attack demonstrates that regardless of the size of your organization, ransomware can still be a significant problem. It would appear that the event was contained quickly in this case and the organization appears to have done a good job with communication, especially in light of the newer strains of ransomware exfiltrating data. Ransomware infections are no longer rare events with infections happening across organizations of all sizes and across all industries. For modern organizations, it .....Read More
This attack demonstrates that regardless of the size of your organization, ransomware can still be a significant problem. It would appear that the event was contained quickly in this case and the organization appears to have done a good job with communication, especially in light of the newer strains of ransomware exfiltrating data. Ransomware infections are no longer rare events with infections happening across organizations of all sizes and across all industries. For modern organizations, it is very important to have a plan in place to deal with a potential infection with a focus on limiting the spread of the infection, continuing operations and communicating with affected parties and stakeholders. The top preventative measures include network segmentation to control the spread of the infection, having good, tested backups available to quickly restore data and most importantly, to train employees how to spot and report phishing attacks that are the source of most ransomware infections.  Read Less
March 06, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Details around the actual impact of the ransomware and affected systems is scarce, but it is important to note that the adjustment of Q4 earning numbers as a result of the attack should not be underestimated. For many organisations across industries such as manufacturing, there isn't usually a viable backup procedure to fall back on if IT systems are taken offline. This is why the impact on such organisations is far greater, even if they do have backups. Therefore, this becomes an even.....Read More
Details around the actual impact of the ransomware and affected systems is scarce, but it is important to note that the adjustment of Q4 earning numbers as a result of the attack should not be underestimated. For many organisations across industries such as manufacturing, there isn't usually a viable backup procedure to fall back on if IT systems are taken offline. This is why the impact on such organisations is far greater, even if they do have backups. Therefore, this becomes an even more important case of prevention being far better than cure. This prevention can be helped by a multi-layered approach which includes patching vulnerable public-facing systems, enforcing strong passwords with multi factor authentication, and providing regular and timely security awareness and training to all employees to allow them to better recognise attacks and to spread a culture of security throughout the organisation.  Read Less
March 06, 2020
Felix Rosbach
Product Manager
comforte AG
While a lot of companies are aware of ransomware and develop strategies to prevent attacks and recover quickly, it still is a very effective attack. Even with having a sophisticated backup strategy in place, the costs and resources needed to do a complete rollback after a successful ransomware attack can be higher than paying the ransom. Even if sending payments to attackers is never a good idea, the increase of modifications and ransomware-as-a-service offerings in the dark web shows that.....Read More
While a lot of companies are aware of ransomware and develop strategies to prevent attacks and recover quickly, it still is a very effective attack. Even with having a sophisticated backup strategy in place, the costs and resources needed to do a complete rollback after a successful ransomware attack can be higher than paying the ransom. Even if sending payments to attackers is never a good idea, the increase of modifications and ransomware-as-a-service offerings in the dark web shows that there still is a market and some companies are willing to pay to continue their business.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.