Once infected the Cryprolock Legion virus begins a systematic process of infecting the files on the database until the entire database is locked down. Troldesh/Shade is a file-encrypting ransomware, which will encrypt the personal documents found on victim’s computer using RSA-2048 key (AES CBC 256-bit encryption algorithm), appending the ‘email@example.com’ extension to encrypted files. In time every file on the hard-drive will be encrypted and unaccessible without the key. At this point the computer will display a message demanding a ransom to obtain the key.
“It’s every law firm’s nightmare,” said the firm’s managing partner as he battled to come to terms with the loss of all his data. “Fortunately we knew the directors at the BDO Cyber and Forensic lab who we called in as soon as we realised the extent of the problem.”
“In situations like this, time is critical, and valuable data is lost between trying to get restarted and calling in professionals who understand what best ways to approach the problems,” said Graham Croock, Director of IT Audit, Risk and the Cyber Lab at BDO.
The first responders at the BDO Cyber Lab noted that the notorious Cryptolock virus has paralysed businesses across the world with no way of recovering the data once the virus’ encryption had taken hold. Once the drives were removed from the server they were placed in the BDO Cyber Lab in a sanitised environment where the advanced cyber team could look at the extent of the virus encryption and evaluate what could possibly be recovered.
Using advanced data recovery methods, the BDO team was able to recover a substantial proportion of the lost data by accessing shadow copies of the files on the hard drive, which had not yet been destroyed by the virus. “This is life saving stuff,” said a lawyer from the firm.
“The key issue at stake is not if you will be attacked but when,” said David Cohen from the BDO Cyber Lab. Businesses need to start taking the treats of a cyber attack seriously. They need to get themselves into a position of cyber readiness after doing the necessary risk assessments and putting in place disaster recovery and business continuity plans. Lastly, being correctly insured is critical if you are to survive a full attack.”