Epiq, Ryuk ransomware, and shared responsibility

Epiq’s cybersecurity attack started with a TrickBot infection that led to it being hit by the Ryuk ransomware, computer help Bleeping Computer has reported, citing a source in the cybersecurity industry. It’s a timely reminder that just because data is in the cloud doesn’t guarantee its safety.

The New York-headquartered company took down its systems on Saturday 29 February, subsequently publishing a statement to confirm that it had been hit by ransomware, had taken its systems offline, and was working with a third-party forensics team. It also informed federal law enforcement authorities.

According to Bleeping Computer and other sources, the Epiq network became infected with TrickBot malware in December. TrickBot is spread through phishing emails. Once installed it harvests passwords, files and cookies before opening a reverse shell to the Ryuk operators, who after gaining administrator credentials, deploy the ransomware.

Epiq’s corporate website is back up and running but a spokesperson for the firm said that the company’s only comment at this stage is the statement it published at the start of this week.

The attack against the Saas eDiscovery giant is being heralded as the latest example of the need for cybersecurity training but also a reminder of the shared responsibility model and the obligation of customers to ensure that their data in the cloud is safe.

The shared responsibility model was introduced by Amazon and saw Amazon puts the onus on customers to close the data security loop in their own environments. As Cloudcheckr says: “Simply put, Amazon is responsible for the security of the cloud, while the customer is responsible for security in the cloud.” This model has been adopted by other cloud providers.

Writing on LinkedIn, Jason Thomas, chief information officer at Cole, Scott & Kissane said on 4 March:

“Epiq’s corporate website is back up after the the Trickbot / Ryuk ransomware took down their 80 global offices, but, customers still do not have access to their eDiscovery data. No one is fully immune to ransomware, even with the best next-gen antivirus or “AI” based intrusion detection systems. While it’s easy to point all the blame on Epiq, customers have an obligation to ensure their data is safe. Just because “it’s the cloud”, it doesn’t guarantee the data is safe or take away our security responsibilities. This is the crux of the shared responsibility model. Your leaky AWS buckets are not Amazon’s fault, they’re your fault. And, you have every right to ask your cloud vendors what their security practices are, what systems they’re running, what security frameworks they follow, what certifications they have, what type of backups they run, what type of replication and failover systems are in place, how often they test backups and DR procedures, what their RTOs / RPO’s are, and, most importantly, ask for a copy of your data that you control and test regularly. I am very cloud forward but cannot ignore my responsibility to protect my firm’s data and the livelihoods of our employees and clients.”

See also:

Epiq takes systems offline after ransomware attack