Ryuk Ransomware Hits Fortune 500 Company EMCOR
Industry news & eventsNews & Events

Ryuk Ransomware Hits Fortune 500 Company EMCOR

Photo of Phil Black - PII Editor Phil Black - PII Editor Follow on X Send an email 25/04/2020
292 3 minutes read
Listen to this article

It has been reported that Ryuk ransomware hits Fortune 500 company EMCOR, a US-based Fortune 500 company specialised in engineering and industrial construction services, disclosed last month a ransomware incident that took down some of its IT systems.

Details of the attack and the aftermath are not yet public, but the message announcing the ransomware infection is still present on the company's website almost three weeks after the attack.

EMCOR said that not all of its systems were impacted and that only “certain IT systems” were affected, which it promptly shut down to contain the infection. The company said it was restoring services, but did not specify if it paid the ransom demand or if it was restoring from backups.

Commenting on this, Sam Curry, chief security officer at Cybereason, said:

“The rubber hits the Wall Street road when Fortune 500 companies start readjusting earnings due to cyber attacks, as there is nothing that will get the attention of board members and investors more than an assault on revenues. EMCOR is not your average mom and pop company that crime groups are focusing on more and more.

This is a Fortune 500 enterprise with more than 30,000 employees, $10 billion in revenues and the best security team and tools in place to combat the daily challenges presented by threat actors.

EMCOR's disclosure is a stark reminder that the biggest and most secure organisations need incident response teams in place to deal with the persistent risk to proprietary information and customer and partner data that is all too often ending up in the hands of criminals.

While a lot of the details specific to this threat haven't been disclosed EMCOR's security team has likely saved the company from more damage and pain.

Overall, Ryuk ransomware is a real threat to organisations as Cybereason's Nocturnus team discovered with its Triple Threat research.  Global 1000 organisations need security awareness training plans and incident response and threat hunting teams working constantly to stay ahead of hackers. Suggested remediation measures include:

  • Educate employees on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware.
  • In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organisation.
  • Proactively approach security by performing hunts and searching for suspicious behaviour before an incident starts.”

Martin Jartelius, chief security officer at Outpost24, added “This is an example of what looks to be a better security practice than what we have seen from similar cases recently. The infection while gaining a foothold failed to hit the entire digital estate, meaning a single set of credentials or access did not grant the attackers a global reach. This shows once again that in-depth defense actually pays off when things go wrong.”

Paul Edon, Senior Director Technical Services (EMEA) at Tripwire, concluded “Ransomware, or any malware, can’t just magically appear on your systems. It needs some kind of mechanism for deployment, usually an unpatched vulnerability, misconfiguration or successful phishing. Building a solid foundation is the best place to start for an effective defence.

That means putting in place and managing secure configurations for the assets in your environment. In order for this control to be effective, you must be able to define what a secure configuration is for those assets, and you have to be able to validate that an asset is configured to meet that standard.

If you don’t start with secure configurations, then you are simply leaving the door oIf you don’t start with secure configurations, then you are simply leaving the door open for malware. In the context of prioritising the protection of the most likely entry points, organisations should also invest in phishing training programmes, as the human factor remains cybercriminals’ preferred target to gain a foothold into the environment.

Ultimately, the benefits of having solid foundational controls in place and a well-rehearsed incident response plan far outweigh the risk of a small disruption to business operations that the implementation may require.”

Photo of Phil Black - PII Editor Phil Black - PII Editor Follow on X Send an email 25/04/2020
292 3 minutes read
Show More

    Would you like further information about this article?

    Add your details below and we'll be in touch ASAP!


    Input this code: captcha

    Photo of Phil Black - PII Editor

    Phil Black - PII Editor

    I'm the Editor here at Process Industry Informer, where I have worked for the past 17 years. Please feel free to join in with the conversation, or register for our weekly E-newsletter and bi-monthly magazine here: https://www.processindustryinformer.com/magazine-registration. I look forward to hearing from you!

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Back to top button
    PII logo

    Read our latest issue here

    Join 25,000 process industry specialists and subscribe to:

    • Process Industry Informer bi-monthly magazine
    • Process Industry Update weekly E-newsletter
    • And our regular Podcast and Webinars
    Yes, Sign Me Up!

    PII has a global network of suppliers ready to help...