Delaware, USA – January 30, 2020 – Last week Electronic Warfare Associates became a victim of the Ryuk gang and the company has not yet reported the security breach. The incident became known since the company’s web servers were encrypted, and even though they were turned off pretty quickly, Google cached ransom notes and encrypted files confirming that Ryuk ransomware was used in the attack. The unnamed security researcher told ZDNet that multiple websites related to Electronic Warfare Associates were impacted: EWA Government Systems Inc., EWA Technologies Inc., Simplicikey, and Homeland Protection Institute.
Virginia-based US government contractor supplies electronics equipment to the Department of Defense, the Department of Homeland Security, and the Department of Justice. It is not known how badly the company suffered and how many systems were encrypted. It is also unknown what data was stolen before the start of encryption – recently, researchers found an updated Ryuk infostealer with an expanded list of keywords that searches infected systems for the financial and military-related documents and then exfiltrates them via FTP. The malware appeared in early autumn, long before the Maze ransomware operators began to publish stolen data in case their victim refused to pay the ransom. Ryuk gang is also a “regular customer” of the Trickbot Anchor project gaining access to previously compromised networks of high profile targets.
Content available on Threat Detection Marketplace to secure against these threats:
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/vZQdVgPbH0b7/
Ryuk Ransomware – https://tdm.socprime.com/tdm/info/e5l7zmQQ6jzP/
Active Directory credentials stealing via Trickbot – https://tdm.socprime.com/tdm/info/Gq7NllvleN5G/
TrickBot behaviour (Privilege escalation attack) – https://tdm.socprime.com/tdm/info/hnFSkaXV5vHs/
Trickbot Malware (YARA rules) – https://tdm.socprime.com/tdm/info/QNIEMQiE0ZwF/