We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments.
Client Systems Restored - March 26, 2020
We are pleased to announce that all client-facing systems globally are back up and running. We began restoring full functionality for client systems two weeks ago, and have now completed our restoration and hardening activities for all client-facing environments. We are thankful to our IT and Operations teams, as well as IBM, Mandiant, and Microsoft, for their diligent and tireless efforts in fully restoring these environments. Further, we can confirm that Mandiant has found no evidence that any client data was accessed, misused, or exfiltrated. There has been no evidence of malicious activity in our system since March 1, 2020, and the attack did not impact our backup systems or data.
Since suffering this ransomware attack, we have been laser focused on protecting client data and ensuring environments can be restored with full integrity. That is why we acted swiftly in taking our systems offline, and it is why we worked 24/7 to bring our clients back online in a safe and secure manner as quickly as possible.
We want to thank our clients for their loyalty, patience and support throughout this cyber incident. We appreciate you standing by us and lifting us with your empathy and well-wishes. We have learned a great deal from this incident, including that no company is immune to increasingly sophisticated cyber attacks in today’s dynamic threat landscape, and we are committed to sharing key lessons learned in the coming weeks.
We also want to make sure our clients have confidence in the safety of your databases and our environment going forward. To that end, we have worked closely with IBM and Microsoft to implement additional hardening measures to further improve the security of our systems.
We recognize that, with COVID-19, the challenges are not over. But we are well equipped and well positioned to weather this storm, and adapt our business to continue to meet the needs of our clients and our employees as they navigate the complexities posed by the current reality. We are prioritizing our employees and communities’ welfare, and have taken a number of steps to reduce the spread of the virus, including moving to remote work wherever possible. We also recognize the challenges our clients are facing, and have developed solutions for remote data collection and document review in order to continue to meet their business needs. We’ll work to identify and launch additional services to help our clients to continue with “business as usual” as much as possible during these trying times. You can read more about our response to COVID-19 here.
As we emerge from this cyber incident, we are confident that our company will emerge stronger than ever.
View message from our Chief Executive Officer, David Dobson
Systems Update – March 19, 2020
As previously disclosed, on February 29th, we confirmed that we suffered a ransomware attack. In response to this incident, we immediately deployed tools to thwart the attack, took our systems offline and launched a comprehensive investigation. While this action was necessary to successfully contain the incident, we deeply regret the impact it has had on our customers. Our team has been working around the clock alongside multiple leading cyber and technology experts to restore our systems in a secure manner as quickly as possible.
We recognize that many of our clients have questions about this incident. We have provided answers to several of these questions below. The answers provided reflect our best knowledge based on what we have learned to date. Investigations of data incidents are complex, dynamic, and require time to conduct properly. Our investigation is ongoing and we are still learning all the facts, but we are committed to providing updates as we learn more.
If you have any questions that we have not addressed, please contact your Epiq representative or send a note to us here.
We understand clients place a great deal of trust in us to handle their data, and we are working tirelessly to quickly return to the high levels of client service that Epiq is known for.
Frequently Asked Questions:
Q: What happened?
On February 29, we confirmed that we suffered a ransomware attack, which prompted us to take our systems offline. We are making progress in our restoration, and can confirm that the attack has been contained.
Importantly, we have found no evidence that any client data has been accessed, misused, or extracted.
While our investigation is still ongoing, we have confirmed that the RYUK ransomware protocol was used in this attack. We have also identified evidence of TrickBot malware in our systems, which is often deployed in advance of RYUK ransomware. Our understanding is that this ransomware variant is intended to disrupt business rather than exfiltrate data.
Q: What is Epiq doing about this incident?
After detecting unauthorized activity on our systems, we immediately deployed tools to thwart the attack and took our systems offline globally, in order to contain the threat and ensure the protection of data. At this point, we can confirm that the attack has been contained.
We are still carrying out our investigation and learning all the facts. We are working alongside leading third party cyber and technology experts, including IBM, Mandiant, and Microsoft, to bring our systems back online in a secure manner, as quickly as possible. We have also notified and been cooperating with federal law enforcement.
The protection of client and employee data is our highest priority. We understand the importance of the reliability and availability of our client facing platforms, and we regret the impact this attack has had on our clients.
Q: Which businesses were affected by the incident?
Our Legal Solutions (eDiscovery, document review), Class Action and Mass Tort, and Restructuring & Bankruptcy businesses were impacted. We are working to bring these systems back online in a secure manner as quickly as possible.
Global Business Transformation Solutions was not affected, nor were Epiq employees who work onsite for our clients from this business. These systems and services continue uninterrupted.
Q: Was any client data accessed or extracted? How do you know?
Based on the results of our investigation to date, we have found no evidence that any client data has been accessed, misused, or extracted. While our investigation is ongoing, our understanding is that this ransomware variant is intended to disrupt business rather than exfiltrate data.
Until our environment is fully restored, we will not be able to determine what specific data was subject to the ransomware encryption. However, we are confident that we will be able to restore any data that was encrypted by the ransomware. At this time, we can confirm that all data outside of North America and Singapore, including the UK, Europe and Asia, was not affected by the ransomware encryption. Additionally, we can confirm that the attack did not impact our backup systems or data.
Q: When will this incident be fully resolved?
At this time, we have restored access to over 90% of our client facing systems including some of our largest environments. We continue to work around the clock, alongside multiple leading cyber and technology experts, to restore the balance of our environments.
Q: What process is the forensics team undertaking?
Our data centers were taken offline in order to contain the threat and protect client and Epiq data. We are bringing systems back online one-by-one and conducting comprehensive testing in each instance. We have already begun to bring up some of our production systems, and expect to bring additional systems online each day. Our priority as we undertake this process is to confirm that our systems are secure, and we are following a proven and systematic playbook for dealing with this threat.
Q: What actions are being taken to secure your systems moving forward?
The protection of client data is our highest priority. As part of our restoration process, we are working alongside our expert advisors to implement a number of hardening measures to improve the security of our systems, including deployment of leading endpoint security tools and implementation of stricter controls within our intrusion protection system and active directory.
Q: Is it safe for clients to email with Epiq?
Yes. Epiq’s email system is delivered via Microsoft’s cloud Office 365 environment and was not impacted by this event.
Q: How will you communicate updates?
Since February 29th, we’ve been engaging directly and continuously with our employees and our clients. We will also be providing regular updates on this page as our investigation proceeds. You can always send a note to us here or contact your Epiq representative.