The internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reports. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).
Security researchers discovered that the offending malware had encrypted the company’s web servers, affecting several of their subsidiaries’ websites, including: EWA Government Systems Inc., a company that provides electronic warfare products and services to governments and commercial customers, as well as Homeland Protection Institute, a non-profit organization chaired by Carl Guerreri, EWA’s CEO and president.
Signs of the incident, which included encrypted files and ransom notes cached in Google search results, were still visible online even after the company took down the infected web servers. The full extent and impact of the infection remains unknown; however, the main EWA website is currently up and running. According to an interview with Guerreri, EWA is coordinating with authorities and the company has no plans to pay the ransom; no further comments were made.
The Ryuk group has been reported to target high-revenue companies, using the Emotet/Trickbot trojans to enter internal networks, and a module called the Ryuk Stealer to exfiltrate data. A new variant of the module was found with added code that appear to target potentially sensitive data from military, government, legal, financial, and personal units. Delivery methods have varied, but the objective has so far remained the same: extort payment from their victims. However, the new update could mean that the group is expanding their operations.
The Trend Micro 2019 midyear security roundup reported that ransomware detections increased by 77% from the first half of the year to the second half, with threat actors earning millions of dollars from payouts. Trend Micro’s Managed Detection and Response (MDR) and Incident Response (IR) teams investigated two unrelated cases of Ryuk attacks last year and were able to quickly identify the chain of attack and deal with the compromised machines. For those who have yet to incorporate this type of protection into their system, the following best practices will help defend against and prevent ransomware attacks: