Skip to content ↓ | Skip to navigation ↓

A Ryuk sample was reportedly responsible for a ransomware infection at a contractor for the U.S. Department of Defense (DOD).

According to ZDNet, Electronic Warfare Associates (EWA) suffered a ransomware infection in which the offending malware encrypted its web servers.

The company ultimately took down the affected web servers, but security researchers nonetheless found evidence of the encrypted files and ransom notes cached in Google’s search results, ZDNet reported.

Google’s cached search results revealing signs of the EWA ransomware infection. (Source: ZDNet)

Researchers told ZDNet that the cached files unequivocally indicated that EWA had suffered a Ryuk ransomware infection.

Further investigation revealed that Ryuk had infected several of EWA’s websites. Those included EWA Government Systems Inc., a subsidiary of the company that provides electronic warfare capabilities to governments and commercial customers, and Homeland Protection Institute, a non-profit organization chaired by EWA’s CEO.

EWA had not published a public statement about the ransomware infection on its website at the time of writing. In its reporting, ZDNet noted that a spokesperson for the company had hung up on one of its reporters when they had attempted to contact the company about the security incident.

News of this infection comes less than two months after Ryuk struck a maritime facility regulated by the Maritime Transportation Security Act (MTSA). As disclosed by the U.S. Coast Guard, the facility shut down its primary operations for 30 hours after discovering that the ransomware had disrupted its entire corporate IT environment, interfered with its physical access control systems and taken its critical process control monitoring systems offline.

The infection involving EWA highlights the need for organizations to defend themselves against an infection at the hands of Ryuk or another ransomware family. They can do this by taking steps to prevent a ransomware infection in the first place. They can also use a solution like Tripwire File Analyzer to evaluate suspicious file behavior in a quarantined environment.