23. August 2019
At the weekend, the administrator found that a cyberattack was underway on the corporate network. The Ryuk ransomware had already infected live systems and data backups. The Hyper-V cluster had already been completely encrypted, the backup system, a NAS with an attached external hard drive, had also been partially encrypted by Ryuk, other important directories were completely deleted.
The backup was disconnected from the power as quickly as possible. The company was now at a standstill, and no employee was able to process the two hundred to six hundred articles that arrive every day. Therefore, based on an earlier collaboration, the responsible IT consultant Attingo was contacted.
Immediately after the initial interview, the NAS and the external hard drive were brought personally to Attingo's laboratory for analysis. The processing was carried out in the High Priority Service, so that the case was worked on with the highest priority and 24/7 around the clock.
It was quickly diagnosed that the required data on the external hard drive was completely provided with the * .RYK file extension. Accordingly, these were encrypted by the Ryuk ransomware. However, the corresponding data was deleted on the Synology NAS, so that there was a higher probability of data recovery.
The data was restored after the raw data images of the five hard drives used in the NAS were taken. When restoring the data, the RAID volume was searched for the deleted data using special tools in simultaneous processes. Various files encrypted by Ryuk could be restored with the file extension * .RYK but just as many unencrypted but anonymous files.
In view of the encrypted and partially encrypted as well as anonymous status of the recovered deleted data and the proprietary way in which the backup software manages the self-created data, the recovery result achieved could not be used by the customer. However, there was another, fortunately unencrypted, but much older offline data backup. The live systems could be restored from the backup and the operation was at least operational again.
With an offline backup, the worst possible scenario could still be averted in this case. However, there have been enough cases in the past in which offline data backups were already encrypted.
It is not possible to determine how and when the infestation took place and how long the perpetrators have been up to mischief in the network. Attingo suspects that the perpetrators in this case may not have been very experienced. Maybe not very patient either. As a rule, the perpetrators analyze networks in detail so that they can also attack offline data backups. Since various backup cycles are conceivable, most ransomware extortionists sometimes take weeks or months to observe and analyze.
The fact that the deleted data from the NAS backup has already been largely encrypted is an indication that the deletion was not primarily planned. It is conceivable that it was a panic or emergency reaction to the cyber attack being noticed early.
Because ransomware extortionists now know that professional data rescuers like Attingo can restore deleted and presumably destroyed RAID backups in the event of cyber attacks. In order to effectively eliminate this disruptive factor, it must be assumed that the encryption of all data and systems is the primary goal. So that specialists like Attingo cannot offer those affected an alternative solution to paying the ransom.
When analyzing the data encrypted by Ryuk, Attingo discovered that the encrypted and partially encrypted files contain the HERMES note. According to experts, Ryuk is supposed to be the almost identical source code of the HERMES trojan. This is attributed to the hacking group Lazarus, which is assumed to be close to North Korea.
Lazarus may have recycled the Trojan and made it available to other criminals as RaaS, or third parties have appropriated the code to blackmail companies.