DOD contractor Electronic Warfare Associates hit with Ryuk ransomware

Written by

Electronic Warfare Associates (EWA), a government contractor that works with the Department of Defense, Department of Justice, and Department of Homeland Security, has been hit with a ransomware attack, CyberScoop has learned.

EWA’s CEO and president, Carl Guerreri, confirmed the infection in a Thursday interview with CyberScoop, but wouldn’t reveal further details. He declined to comment on how much of the company’s network was currently down, when the initial ransomware infection had taken place, what the initial infection vector was, or when EWA notified law enforcement.

“I don’t want to give out any details for security reasons,” Guerreri told CyberScoop. “We’re coordinating with law enforcement.”

The company was hit with Ryuk ransomware, according to security researchers who spoke with ZDNet, which first reported the infection.

Guerreri doesn’t know how much money attackers are demanding, but said EWA has no plans to pay a ransom.

“I had no intention of paying anything so I didn’t even ask [the amount],” Guerreri told CyberScoop. “I can tell you that we did not pay any ransom.”

Guerreri declined to comment on whether EWA knows the attacker’s identity.

The FBI has long recommended not paying ransomware attackers. Even so, Ryuk ransomware infections have attached to some of the largest payouts among all incidents — including one that hit Riviera Beach, Florida where attackers collected nearly $600,000 after crippling the city government’s systems.

Ransomware attackers have been encrypting victims’ data and demanding decryption ransoms at an alarming rate in recent months across the U.S. — but their attacks have mostly targeted state and local governments or school systems.

EWA supports the government’s efforts in “electronic warfare, cyber defense, tactical mission planning, and force protection,” according to a company LinkedIn page and other subsidiary websites. One of the firm’s subsidiaries, EWA Warrior Services, works with the U.S. Army Test and Evaluation Command, Navy Information Operations Command, and U.S. Fleet Cyber Command.

The targets are changing

Allan Liska, a senior threat intelligence analyst at Recorded Future, told CyberScoop that attackers using ransomware are shifting to higher-value targets.

“The teams behind Ryuk have become more focused in choosing their targets over the last year,” Liska told CyberScoop. “But, they have generally stayed away from federal governments and contractors associated with federal governments … If this was a targeted attack, as opposed to one of convenience, it could signal that they intend to go after even bigger targets moving forward.”

The U.S. government expects high-value targets and government contractors to abide by strict notification rules when it comes to cybersecurity incidents. Contractors are required to report any such event within 72 hours of discovery and submit the malware to the DOD Cyber Crime Center (DC3), according to federal acquisition regulations.

Guerreri told CyberScoop EWA has complied with those regulations.

“We have followed all procedures required of a DOD contractor,” he said.

The DOD, DHS, and DOJ did not respond to requests for comment.