{ "id": "e989587b-3cd2-4617-9457-810e75d86779", "created_at": "2026-04-06T01:31:55.165703Z", "updated_at": "2026-04-10T13:11:56.271843Z", "deleted_at": null, "sha1_hash": "a5db9875a00c5a4a14edf0b2abb7d1af800a0868", "title": "Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 823182, "plain_text": "Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection\r\nBy Lawrence Abrams\r\nPublished: 2020-03-04 · Archived: 2026-04-06 00:23:31 UTC\r\nLegal services and e-discovery giant Epiq Global took their systems offline on Saturday after the Ryuk Ransomware was\r\ndeployed and began encrypting devices on their network. \r\nOn March 2nd, legal reporter Bob Ambrogi broke the news that Epiq had globally taken their systems offline after detecting\r\na cyberattack.\r\nThis outage affected their e-Discovery platforms, which made it impossible for legal clients to access documents needed for\r\ncourt cases and client deadlines.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nEpiq later stated that they were affected by a ransomware attack and took their systems offline to contain the threat.\r\n\"On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As\r\npart of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began\r\nworking with a third-party forensic firm to conduct an independent investigation.\r\nOur technical team is working closely with world class third-party experts to address this matter, and bring our systems back\r\nonline in a secure manner, as quickly as possible.\r\nFederal law enforcement authorities have also been informed and are involved in the investigation.\r\nAs always, protecting client and employee information is a critical priority for the company. At this time there is no evidence\r\nof any unauthorized transfer or misuse or exfiltration of any data in our possession.\"\r\nLater that night, TechCrunch reported that they were told that the attack affected all of Epiq's 80 global offices and their\r\ncomputers.\r\nEpiq Global's attack started with a TrickBot infection\r\nToday a source in the cybersecurity industry exclusively shared information with BleepingComputer that sheds light on how\r\nEpiq Global became infected.\r\nIn December 2019, a computer on Epiq's network became infected with the TrickBot malware.\r\nTrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails.\r\nOnce TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised\r\ncomputer and will then try spread laterally throughout a network to gather more data.\r\nWhen done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.\r\nThe Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After\r\ngaining administrator credentials, they will deploy the ransomware on the network's devices using PowerShell Empire or\r\nPSExec.\r\nIn Epiq Global's case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the\r\nransomware began encrypting files on infected computers.\r\nRansom Note Created\r\nWhen encrypting files, the ransomware will create a ransom note named RyukReadMe.html in every folder. All files that\r\nwere encrypted would also have the .RYK extension appended to them.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nPage 3 of 5\n\nEpiq Global's Ryuk Ransom Note\r\nWhile Ryuk is considered a secure ransomware without any weaknesses in its encryption, Emsisoft's Brett Callow has told\r\nBleepingComputer that there may be a slight chance they can help recover files encrypted by the Ryuk ransomware.\r\n“Companies affected by Ryuk should contact us. There is a small - very small - chance that we may be able to help them\r\nrecover their data without needing to pay the ransom,” Callow told BleepingComputer.com.\r\nWhile the chances are very small, if your devices are encrypted by the Ryuk Ransomware it does not hurt to check with\r\nEmsisoft.\r\nBleepingComputer has reached out to Epiq with further questions about this attack, but have not heard back at this time.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/" ], "report_names": [ "ryuk-ransomware-attacked-epiq-global-via-trickbot-infection" ], "threat_actors": [], "ts_created_at": 1775439115, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5db9875a00c5a4a14edf0b2abb7d1af800a0868.pdf", "text": "https://archive.orkl.eu/a5db9875a00c5a4a14edf0b2abb7d1af800a0868.txt", "img": "https://archive.orkl.eu/a5db9875a00c5a4a14edf0b2abb7d1af800a0868.jpg" } }