Ryuk Ransomware Infects US Government Contractor

Ryuk Ransomware Infects US Government ContractorThe internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reports. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).

Security researchers discovered that the offending malware had encrypted the company’s web servers, affecting several of their subsidiaries’ websites, including: EWA Government Systems Inc., a company that provides electronic warfare products and services to governments and commercial customers, as well as Homeland Protection Institute, a non-profit organization chaired by Carl Guerreri, EWA’s CEO and president.

Signs of the incident, which included encrypted files and ransom notes cached in Google search results, were still visible online even after the company took down the infected web servers. The full extent and impact of the infection remains unknown; however, the main EWA website is currently up and running. According to an interview with Guerreri, EWA is coordinating with authorities and the company has no plans to pay the ransom; no further comments were made.

The Ryuk group has been reported to target high-revenue companies, using the Emotet/Trickbot trojans to enter internal networks, and a module called the Ryuk Stealer to exfiltrate data. A new variant of the module was found with added code that appear to target potentially sensitive data from military, government, legal, financial, and personal units. Delivery methods have varied, but the objective has so far remained the same: extort payment from their victims. However, the new update could mean that the group is expanding their operations.

[Trend Micro Research: A Closer Look at the Ryuk Ransomware]

Ransomware Defense and Prevention

The Trend Micro 2019 midyear security roundup reported that ransomware detections increased by 77% from the first half of the year to the second half, with threat actors earning millions of dollars from payouts. Trend Micro’s Managed Detection and Response (MDR) and Incident Response (IR) teams investigated two unrelated cases of Ryuk attacks last year and were able to quickly identify the chain of attack and deal with the compromised machines. For those who have yet to incorporate this type of protection into their system, the following best practices will help defend against and prevent ransomware attacks:

  • Avoid opening unverified or suspicious emails and clicking on embedded links.
  • Implement the principle of least privilege and limit access to important data and system administration tools.
  • Keep important information safe by regularly backing up your data, preferably using the 3-2-1 method: three backup copies in at least two separate formats, with one copy offsite.
  • Consistently update and patch systems, networks, servers, and applications to address vulnerabilities that threat actors can exploit.
  • Refrain from paying ransomware demands; giving in only encourages threat actors and there is no guarantee that any data will be restored.

[Best Practices: More recommendations to defend against ransomware]

Adopting a multi-layered approach can prevent ransomware from reaching networks and systems. Enterprises can take advantage of email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector or InterScan™ Web Security to prevent ransomware from reaching end users. Small and medium-sized businesses can protect their endpoints using Trend Micro Worry-Free Services Advanced. As for home users, Trend Micro Maximum Security provides powerful protection for up to 10 devices and the Trend Micro Ransomware File Decryptor Tool can decrypt files locked by certain ransomware variants without having to pay the ransom or use a decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.