Cyber Incident Victim: Electronic Warfare Associates
Date:
Jan 2020
Location:
United States of America
Summary
A US government contractor specializing in electronic warfare and defense systems experienced a ransomware attack impacting multiple subsidiaries and affiliated websites, with encrypted files and ransom notes visible in search engine caches. The incident involved Ryuk ransomware, which typically infiltrates networks via Emotet or TrickBot trojans to spread internally, exfiltrate data, and deploy encryption. The attack specifically affected web servers hosting sites for subsidiaries providing cyber defense products, JTAG technologies, electronic deadbolts, and a non-profit chaired by the company's CEO. Ryuk's recent adaptation to target government and military-related data aligns with the victim's client base, including Department of Defense and Homeland Security entities. The company did not publicly acknowledge the breach, and the full extent of internal network compromise remains unknown.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late January 2020, Electronic Warfare Associates (EWA), a long-established U.S. government contractor specializing in electronic warfare systems, experienced a ransomware attack impacting multiple public-facing web servers. The incident became publicly evident when security researchers observed encrypted files and ransom notes cached in Google search results, even after EWA took affected systems offline approximately one week prior. Analysis of these artifacts confirmed the involvement of Ryuk ransomware, a strain known for targeting high-value organizations through deliberate, human-operated campaigns. The compromise affected websites belonging to several EWA subsidiaries, including EWA Government Systems Inc. (providing cyber defense, radar development, and force protection solutions), EWA Technologies Inc. (focused on JTAG products), Simplicikey (a consumer smart lock manufacturer), and the Homeland Protection Institute (a non-profit chaired by EWA's CEO). While the public exposure centered on web server encryption, the extent of internal network compromise remained unverified. EWA did not issue public statements acknowledging the breach, and company representatives declined to comment when contacted by media, abruptly terminating a call seeking clarification on the incident’s scope.
The Ryuk ransomware’s deployment followed established patterns of advanced cybercriminal operations, typically initiated through Emotet or TrickBot malware infections that facilitate network reconnaissance and lateral movement. Attackers leveraged these footholds to deploy Ryuk’s data exfiltration module, known as Ryuk Stealer, which had recently been updated to prioritize files containing government and military-related information—a modification aligning with EWA’s role as a supplier to the Department of Defense, Department of Homeland Security, and Department of Justice. This targeting specificity underscored the operational risks posed by the breach, given EWA’s involvement in sensitive defense and security sectors. The visible encryption of subsidiary websites indicated at least partial disruption to public services, though the full operational and data integrity consequences were not disclosed. The absence of confirmed data theft specifics or ransom demands left critical questions unanswered regarding the attack’s ultimate objectives and impact on government contracts.