Taking Advantage of Hackers’ Mistakes in a Ransomware Attack

Written By: Ontrack

Date Published: August 23, 2024

Taking Advantage of Hackers’ Mistakes in a Ransomware Attack

The challenge

One of the most active Ransomware-as-a-Service threat actors in the world, Black Basta which is known for its double extortion attacks, carried out a ransomware attack on a customer's servers, encrypting all virtual machines and backups.

The affected systems included a 96-disk HP 3PAR8400, two LUNs with 100TB of data (one LUN running Windows and the other ESX with 250VM), and VEEAM backup datastores hosted on a separate 3PAR7200 on 64 SAS disks.

Paying the ransom would not help in this case.

One of the fastest growing Cyber Incident Response (CIR) companies in Europe initially worked on the case. Their experts noticed that the hackers had made mistakes in code generation and data encryption. After contacting several experts at another company for help, they realised that the hackers' decryption tool would not be able to decrypt any data even if the customer paid the ransom.

The CIR company contacted Ontrack to determine if the data could be recovered.

The solution

Using the partner's findings, our team investigated whether a customised data recovery solution could be developed.

The sophisticated cyber attack affected the storage system by encrypting in multiple layers both on the virtual file system layer and in the virtual machines.

For many years, Ontrack has been researching different types of ransomware to ensure that the further development of our data recovery tools supports the increasingly numerous and complex versions of ransomware. As a result, our knowledge and experience grow with the development of new versions. Our extensive collection of tools and methods for data recovery at all levels means that the chances of a successful recovery in these situations are increasing every day. 

The complexity of this ransomware attack motivated the just-in-time (JIT) development of our data recovery tools. With JIT, the Ontrack developers adjust our current toolset to cope with specific problems, such as new data storage system structures and changes to third-party file systems, or in this case, deciphering data at multiple layers.

 

For several weeks, Ontrack's developers worked on the assignment, cleaning up damage and errors in a third-party database for accounting archives with compressed files.  

The result

Ontrack was able to recover 88% of all data, including the most relevant data the customer was looking for; part of a document management system. The software provider was able to rebuild the database for the archive of accounting documents. 

This case study is yet another demonstration that it takes a team of specialists working together to overcome a cyber-attack.

Read more about JIT and why Ontrack is a world leader in data recovery.

 

 

Subscribe

KLDiscovery Ontrack, LLC, 9023 Columbine Road Eden Prairie, MN 55347, United States (see all locations)