Cyber Incident Victim: EMCOR Group

On February 15, 2020, EMCOR Group, a Fortune 500 company with over $9 billion in annual revenue, experienced a ransomware attack identified as an infection by the Ryuk strain. The company detected the incident and promptly shut down certain affected IT systems to contain the spread, emphasizing that not all systems were compromised. EMCOR initiated restoration efforts for impacted services but did not publicly disclose whether it paid the ransom demand or relied on backups for recovery. The organization stated its investigation found no evidence that employee or customer data was exfiltrated during the attack. Nearly three weeks after the incident, the ransomware notification message remained visible on the company's website, indicating ongoing disruptions. With operations spanning more than 170 locations globally through 80 subsidiaries and employing 33,000 people, the attack caused measurable operational downtime.

In its 2019 fourth-quarter financial report filed after the incident, EMCOR adjusted its 2020 earnings projections to account for losses attributable to the ransomware-induced downtime, though it withheld specific financial impact figures. The prolonged presence of the ransomware notification on its public-facing systems suggested extended recovery challenges. The attack placed EMCOR among prominent ransomware victims of the period, including defense contractor EWA, law firm Epiq Global, rail operator Railworks, and European energy provider INA Group. Ryuk's involvement contrasted with ransomware groups like REvil and Maze that typically combined encryption with data theft, aligning with EMCOR's assessment of no data compromise. The company maintained focus on restoring operations while withholding technical details about infection vectors or remediation methods.