On March 2nd, legal reporter Bob Ambrogi shared that Epiq Global, a legal services company, recently took their systems offline globally in response to a security incident. A source for BleepingComputer revealed that the incident began with a TrickBot infection in December. TrickBot is most commonly spread via Emotet, but it is also distributed through malicious attachments in spam as well. After TrickBot has run its course, the TrickBot operators may decide to give the Ryuk ransomware operators access to infected systems.
Analyst Notes
The first stage in many desktop malware infections begins with malware delivered by email, either as an attachment or a link to download a file. An email security gateway solution may be able to prevent the delivery of malicious mail by scanning and detecting malicious links or attachments before threats ever reach an employee’s inbox. Always keep anti-virus solutions up-to-date as well. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Using an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company. Most importantly, make backups! Backups should be created at regular intervals and stored offline. Many ransomware families look for connected USB devices and network drives, so multiple backups should exist in different locations to minimize the chance they could be infected as well.
Sources: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/
https://www.lawsitesblog.com/2020/03/epiq-global-down-as-company-investigates-unauthorized-activity-on-systems.html
