Epiq Ransomware – A Team Effort

[harlan4096]

Preventing a Cyber Attack is Not Enough. Sometimes You Need to Protect Your Company Against a Mix of Cyber Threats.

What do you get when you combine three virulent cyber attacks? An epiq ransomware case. 

As we have defined it in our Cybersecurity Glossary, ransomware is a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it until a ransom demand is fulfilled. As the notorious Epiq ransomware shows, the cybercriminals are getting more and more resourceful when it comes to finding methods for doing more and more harm. 

The name of the Epiq ransomware comes from its original victim – Epiq Global, a company that provides legal services to financial institutions and governments from 80 offices worldwide. The attack took place in March, forcing the company to go globally offline after the ransomware was deployed and began encrypting devices on its network. 

In a press release issued on the 2nd of March, representatives of Epiq declared:
 

On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation.

Our technical team is working closely with world-class third-party experts to address this matter and bring our systems back online in a secure manner, as quickly as possible.

Federal law enforcement authorities have also been informed and are involved in the investigation.

As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.

This came after 5 other law firms were hit by the notorious Maze group and, although Epiq claimed that no data were exfiltrated during the March attack, they are now facing “a federal lawsuit in California alleging it is at fault for malware and ransomware attacks that exposed data in violation of the state’s landmark privacy law.” 

Actors of the Epiq ransomware attack – TrickBot, Emotet and Ryuk

Apparently, the Epiq ransomware attack started with a TrickBot infection. Developed in 2016, TrickBot is a banking Trojan (a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan) that targets Windows machines. 

The Trojan TrickBot comes in modules and is accompanied by a configuration file. The modules have specific tasks: gaining persistence, propagation, stealing credentials, encryption etc. The malware will communicate with TrickBot’s command and control infrastructure in order to exfiltrate data and receive tasks, but the end-users won’t notice any sign of an infection. TrickBot usually gets in a network via malicious spam campaigns, laterally by using the EternalBlue exploit or through infected attachments and embedded URLs. Trojan.TrickBot can also be a secondary infection dropped by Trojan.Emotet, an old cybersecurity threat. 

As BleepingComputer writes,
 

Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data. When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators. The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec.In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.

When the ransomware encrypts the files, it creates a ransom note called RyukReadMe.txt in any folder, and every file that is encrypted has the .RYK extension appended to it. 

The partnership of TrickBot and Ryuk was not a particularity of the Epiq ransomware attack only – Bleeping Computers also mentions that 
 

the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.[…] TrickBot is being used by other actors to get access to an infected network. Once these bots infect a computer, they would create reverse shells back to other actors, such as the ones behind Ryuk, so that they can manually infiltrate the rest of the network and install their payloads.

Knocking out the Epiq ransomware attack – Ryuk. M.O., History, Targets.

Ryuk (probably named like this after the name of a fictional character known as Shinigami – the God of Death – in the Death Note anime and manga series) represents a ransomware family that uses campaigns where extortion happens, unlike in other ransomware cases, days or weeks after the initial infection. As ComplexDiscovery.com says, “Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns”. It targets large companies and government agencies: among the companies that fell victims to Ryuk’s “death note” there are newspapers, restaurants, public institutions. 
...

Continue Reading