A law firm got hit with the REvil ransomware. The criminals got in by connecting to the organizational server using Remote Desktop Protocol (RDP). The law firm did not have 24x7 Managed Detection Response (MDR or soc-as-a-service) and had no way to catch or stop the spread of ransomware. Without the benefit of MDR or other alerting solutions in place, the ransomware gang was able to quickly move across the network and encrypt the drives on several machines including thousands of important files. The firm turned to their IT MSP (managed service provider) who lacked experience when responding to ransomware.
The MSP complicated recovery efforts by powering off the server and subsequently making changes to some key files. The law firm made the difficult decision to pay the ransom and get a decryption key. With the assistance of the MSP, the law firm set to work on attempting to decrypt their files only to realize to their dismay that instead of decrypting their files, most of them were displaying decryption errors which pointed to a malformity in the encryption keys. Repeated appeals to the ransomware gang to assist with the decryption resulted in the REvil gang responding with unhelpful accusations of deception on the law firm’s part. Complicating matters, within a matter of days after the encryption, the US Government intervened and the REvil gang went dark, which meant the firm could not get “support” from the ransomware terrorists.
The law firm then called 800-604-4810 for Critical Insight Incident Response. With an encrypted file server, unavailable client data or backups, and a ransom paid for a decryptor that did not deliver, Critical Insight created and acquired forensically sound images of the encrypted drives and began to carefully examine the decryption tool and the ransomware notes scattered throughout the system. Critical Insight engaged with the security community to help in detecting the root cause for the decryption failure. Analysis determined that there were hundreds of thousands of encrypted folders, each containing malformed ransom notes which prevented the files from being recovered.
Working with the ransomware team at BitDefender, the offending keys were identified on the ransomware notes on each drive, and, after some cooperative research, the correct keys were also identified. The Critical Insight Incident Specialists scripted a method to replace over 700,000 malformed ransomware notes and were able to recover and sanitize all the law firm’s encrypted files.
With files restored and impending cases able to move forward unimpeded, the law firm responded jubilantly that Critical Insight had solved an existential threat to their business and to the clients of their business. The firm is back up and running and CI is making sure there are no traces of the ransomware left among the recovered data.
This unfortunate incident highlights the need to partner with IT professionals that can understand and implement appropriate security controls for your organizational infrastructure. The law firm became a victim after relying on a third party who left vulnerable protocols exposed to the Internet, allowing criminals to take over sensitive parts of their network. Working with Critical Insight, the law firm selected a new MSP that would implement the recommended security controls to prevent future incidents. The law firm can now thrive once again, knowing their important business can go forward and the ransomware extortionists are gone.
If you'd like to learn about Critical Insight's 24x7 Incident Response Team or Managed Detection and Response, contact us here.
