A prominent South African law firm was able to recover most of its data after its entire IT system was recently shut down by the Cryptolock Legion virus.
Once it’s infected the system, the Cryprolock Legion virus begins a systematic process of infecting the files on the database until the entire database is locked down.
Troldesh/Shade is a file-encrypting ransomware, which will encrypt the personal documents found on victim’s computer using RSA-2048 key (AES CBC 256-bit encryption algorithm), appending the ‘firstname.lastname@example.org’ extension to encrypted files.
In time, every file on the hard-drive will be encrypted and inaccessible without the key. At this point the computer will display a message demanding a ransom to obtain the key.
“It’s every law firm’s nightmare,” says the firm’s managing partner. “Fortunately we knew the directors at the BDO Cyber and Forensic lab, who we called in as soon as we realised the extent of the problem.”
Graham Croock, director of IT audit, risk and the Cyber Lab at BDO, says: “In situations like this, time is critical, and valuable data is lost between trying to get restarted and calling in professionals who understand what best ways to approach the problems.”
The first responders at the BDO Cyber Lab noted that the notorious Cryptolock virus has paralysed businesses across the world with no way of recovering the data once the virus’ encryption had taken hold. Once the drives were removed from the server they were placed in the BDO Cyber Lab in a sanitised environment where the advanced cyber team could look at the extent of the virus encryption and evaluate what could possibly be recovered.
Using advanced data recovery methods, the BDO team was able to recover a substantial proportion of the lost data by accessing shadow copies of the files on the hard drive, which had not yet been destroyed by the virus.
“The key issue at stake is not if you will be attacked but when,” says David Cohen from the BDO Cyber Lab. “Businesses need to start taking the treats of a cyber attack seriously.
“They need to get themselves into a position of cyber readiness after doing the necessary risk assessments and putting in place disaster recovery and business continuity plans. Lastly, being correctly insured is critical if you are to survive a full attack.”