The Ryuk ransomware attacked the EMCOR Group, a Fortune 500 company with 80 subsidiaries and more than 33,000 employees worldwide.
EMCOR Group specializes in engineering and industrial construction services.A message on the company’s official website states that the incident occurred on February 15, 2020. Although details of the incident have not yet been disclosed, representatives of the EMCOR Group claim that only “certain IT systems” were affected, which were quickly turned off to contain the spread of malware.
EMCOR recently determined that we were the target of a RYUK ransomware attack infecting certain of the Company’s systems with malware. As a precautionary measure, we promptly shut down certain IT systems to help contain the problem. We implemented business continuity plans to facilitate ongoing operations and are restoring systems, where appropriate. While some of our systems are still coming back online, we are continuing to service our customers”, — reported on the company’s website.
The company reports that it is already restoring its services, but does not specify whether it paid the ransom to the attackers or if the information was “saved” from the backups.
EMCOR has already adjusted its estimated financials for 2020 to take into account downtime caused by an encryptor attack, but has not yet disclosed the exact amount of estimated losses.
In addition, it is emphasized that, according to the results of the investigation, during the attack, the criminals were not able to steal the data of employees or customers of the company.
Through counsel, we have retained a leading cybersecurity forensic firm to assist with an extensive review of the situation. Our investigation is ongoing; however, at this time, we have not uncovered any direct evidence that employee or customer data has been taken in the attack. Security, in all its forms, is a priority at EMCOR”, — write EMCOR representatives.
A statement that there were no leaks is important, because the trend of recent months among cryptographic operators has been the publication of the stolen data from affected companies. Therefore, the developers of ransomware call on affiliates to copy the victim’s data before encryption, so that this information can then be used as a lever of pressure (and if this does not help, make it public or sell).
Own sites for these purposes have already been launched by the developers such malware as Maze, DoppelPaymer, Nemty and others. However, apparently, the Ryuk operators do not practice this yet, or they managed to get a ransom from EMCOR.