article featured image


What do you get when you combine three virulent cyber attacks? An epiq ransomware case. 

As we have defined it in our Cybersecurity Glossary, ransomware is a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it until a ransom demand is fulfilled. As the notorious Epiq ransomware shows, cybercriminals are getting more and more resourceful when it comes to finding methods for doing more and more harm. 

The name of the Epiq ransomware comes from its original victim – Epiq Global, a company that provides legal services to financial institutions and governments from 80 offices worldwide. The attack took place in March, forcing the company to go globally offline after the ransomware was deployed and began encrypting devices on its network. 

In a press release issued on the 2nd of March, representatives of Epiq declared:

On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation.

Our technical team is working closely with world-class third-party experts to address this matter and bring our systems back online in a secure manner, as quickly as possible.

Federal law enforcement authorities have also been informed and are involved in the investigation.

As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.

This came after 5 other law firms were hit by the notorious Maze group and, although Epiq claimed that no data were exfiltrated during the March attack, they are now facing “a federal lawsuit in California alleging it is at fault for malware and ransomware attacks that exposed data in violation of the state’s landmark privacy law.” 

Actors of the Epiq ransomware attack – TrickBot, Emotet and Ryuk

Apparently, the Epiq ransomware attack started with a TrickBot infection. Developed in 2016, TrickBot is a banking Trojan (a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan) that targets Windows machines. 

The Trojan TrickBot comes in modules and is accompanied by a configuration file. The modules have specific tasks: gaining persistence, propagation, stealing credentials, encryption etc. The malware will communicate with TrickBot’s command and control infrastructure in order to exfiltrate data and receive tasks, but the end-users won’t notice any sign of an infection. TrickBot usually gets in a network via malicious spam campaigns, laterally by using the EternalBlue exploit or through infected attachments and embedded URLs. Trojan.TrickBot can also be a secondary infection dropped by Trojan.Emotet, an old cybersecurity threat. 

As BleepingComputer writes, 

Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data. When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators. The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec.In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.

When the ransomware encrypts the files, it creates a ransom note called RyukReadMe.txt in any folder, and every file that is encrypted has the .RYK extension appended to it.  The partnership of TrickBot and Ryuk was not a particularity of the Epiq ransomware attack only – Bleeping Computers also mentions that 

the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.[…] TrickBot is being used by other actors to get access to an infected network. Once these bots infect a computer, they would create reverse shells back to other actors, such as the ones behind Ryuk, so that they can manually infiltrate the rest of the network and install their payloads.

Knocking out the Epiq ransomware attack – Ryuk. M.O., History, Targets. 

Ryuk (probably named like this after the name of a fictional character known as Shinigami – the God of Death – in the Death Note anime and manga series) represents a ransomware family that uses campaigns where extortion happens, unlike in other ransomware cases, days or weeks after the initial infection. As ComplexDiscovery.com says, “Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns”. It targets large companies and government agencies: among the companies that fell victims to Ryuk’s “death note” there are newspapers, restaurants, public institutions. 

epiq ransomware attack - ryuk concept image

Source: Security Boulevard

Ryuk ransomware was first mentioned in a Tweet in August 2018 and has been operated by the Russia-based criminal group Wizard Spider. Based on the Hermes ransomware code, the total value of Ryuk transactions has surpassed $3 million. 

How does Ryuk work?

Ryuk is not the beginning of a ransomware attack – it is the lethal end of an infection cycle. The stages it follows are dropper, binary setup, file encryption, Ryuk ransomware injection, ransom note

The dropper stage may include a phishing email, visiting a sketchy website or clicking on a random popup. After TrickBot and Emotet allow access to a victim’s network, they will start to spread laterally and deploy Ryuk ransomware. Before the deployment of Ryuk, Emotet and TrickBot will save some time to steal sensitive information. 

In the binary setup stage, Ryuk checks if the system is suited for it, and based on the results it drops the appropriate malware version and runs it using ShellExecuteW.  During the file encryption stage,  two files are uploaded into the system ( PUBLIC: RSA Public Key and UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key). After each file of the system is encrypted, the encryption key is destroyed. 

During the Ryuk ransomware injection stage, the malware creates a preconfigured list of programs and services that get wiped out – including antivirus tools, databases, backups. 

After this, the victim receives the Ryuk ransom note. The ransom varies according to the size and value of the targeted organisation, and the emails typically include the name of obscure actors or Instagrams models. 

Famous targets 

The Epiq Ransomware Attack was not the only epic victory of the Wizard Spider Group. The attack on the state of Florida was pretty impressive too. As SecureWorld says, “in June 2019 alone, the Ryuk ransomware crew collected more than $1.1 million dollars from Florida municipalities.” Riviera Beach, for example, was completely shut down – “Cops started writing paper tickets, 9-1-1 was impacted, the city’s email, check payment, direct deposit services, and even SCADA (industrial control) systems related to the city’s water pump systems were impacted.”

Another example of Ryuk ransomware victims is a provider of end-to-end solutions for emergency care facilities in the U.S., T-System. BleepingComputer mentions that “the ransomware infection spread to public segments such as DMZ, extranet, and helpdesk”. 

Spanish Cadena SER, Spain’s largest radio station, and TECNOL, a manufacturer of products for waterproofing, insulating, cleaning and biotechnology have also felt victims to Ryuk, as well as Prosegur. Prosegur, a private security company that’s been on the market for more than 40 years and offers manned guarding, logistics and alarm services, had to shut down their systems “to prevent Ryuk from spreading to internal and external hosts.”  The customers were cut from the service for at least four days, and have complained they could not connect the alarm, nor check whether the alarm was armed or not. 

What can you do to avoid becoming the next target of a Ryuk /  Epiq ransomware attack? 

When it comes to Ryuk / Epiq ransomware attacks, there is some good news and some bad news. As SecureWorldExpo says, 

The bad news first: Ryuk ransomware can hide. The Ryuk ransomware is often not observed until a period of time after the initial infection—ranging from days to months—which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack. The good news: you can short circuit it. It may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

The even better news? There are certain precautions you can take to avoid the initial infection in the first place.

Keep Informed about Phishing Techniques 

Cybercriminals develop more and more attack techniques, so if you don’t update your info on phishing techniques, you might inadvertently fall prey to one.  You can learn more about this kind of attack by checking out one of our previous articles. Make sure all your employees know what to look out for!

Think Before you Click 

You must always pay attention to every link you click on and every attachment you open. Keep in mind to hover over the links you want to access to make sure they lead where they’re supposed to lead. It can also help to have an automated solution guarding your e-mail communication, like our Heimdal™ Email Security. Heimdal™ Email Security offers protection against a wide range of cyber threats: phishing, spam, ransomware and malware, malicious attachments, and malicious links. 

Heimdal Official Logo
Email is the most common attack vector used as an entry point into an organization’s systems.

Heimdal® Email Security

Is the next-level email protection solution which secures all your incoming and outgoing comunications.
  • Completely secure your infrastructure against email-delivered threats;
  • Deep content scanning for malicious attachments and links;
  • Block Phishing and man-in-the-email attacks;
  • Complete email-based reporting for compliance & auditing requirements;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Malware Scan

In terms of cybersecurity, we think it’s always a good idea to go from the hunted to the hunter and try to proactively search for malware and deal with it before it does any damage. We have the perfect solution for this too: our DarkLayer Guard module, present in Heimdal™ Threat Prevention and Heimdal™ Next-Gen Antivirus & MDM, uses machine learning-driven intelligence for flawless threat hunting. 

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Patch Management 

85% of malware is deployed through exploit kits, so an up-to-date system is crucial if you want to secure your business and avoid being the next victim of an epiq ransomware attack. We know that manually dealing with patches is a resource and time-consuming task, so we would highly recommend trying an automated solution for this aspect too. 

Heimdal Official Logo
Simple standalone security solutions are no longer enough.
Is an innovative and enhanced multi-layered EDR security approach to organizational defense.
  • Next-gen Antivirus & Firewall which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Privileged Access Management and Application Control, all in one unified dashboard
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Risk Analysis and Penetration Testing 

A cybersecurity risk analysis can help you identify, manage and safeguard data, information and assets that could be vulnerable in case of a cyber attack. Of great help for creating a plan to secure your company can also be the so-called penetration testing. What better way to safely find out how secure your system is then hacking into it and testing its ability to defend against attacks? 

Backup Your Data 

When talking about any type of ransomware attack, having backups for your data as a precaution should go without saying. Make sure that you have backups for all the critical information, that it is stored both online and offline, and that you take time to test your ability to revert to backups during a potential incident. 

Wrapping Up 

When cyberattacks become a team effort like Epiq Ransomware, where TrickBot, Emotet, and Ryuk combined their forces to damage a worldwide provider of legal services, you also need to turn to both online (automated solutions) and offline (staff education) methods of ensuring your company’s cybersecurity.

Please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

Author Profile

Elena Georgescu

Communications & Social Media Coordinator | Heimdal®

linkedin icon

Elena Georgescu is a cybersecurity specialist within Heimdal™ and her main interests are mobile security, social engineering, and artificial intelligence. In her free time, she studies Psychology and Marketing. Some of her guest posts on other websites include: cybersecurity-magazine.com, cybersecuritymagazine.com, techpatio.com

Leave a Reply

Your email address will not be published. Required fields are marked *