Go to Top

NetApp and Kroll Ontrack vs. CryptoLocker Ransomware

Kroll Ontrack and NetApp recently battled the CryptoLocker ransomware virus.

The Damage

The battle begins with a single laptop at a large pharmaceutical company infected with CryptoLocker ransomware, a malware that encrypts files and holds the key until the user pays the ransom amount.  Once the laptop was on the company’s network it had access to a CIFS volume set up as a file share on a NetApp FAS. The virus was able to infiltrate the file share and encrypt the majority of the files. This infection impacted the user’s entire department, bringing their day to day operations to a grinding halt..

The customer’s IT team was not notified of the CryptoLocker infection until after the backup retention period had expired.

The total damage count:

46 drives

1 aggregate (needed to be taken offline which affected 17 volumes)

1 infected volume on a RAID DP

Enter Kroll Ontrack

The customer brought everything into the Kroll Ontrack lab in New Jersey for evaluation. Our engineers suited up and started work on a solution. They rebuilt the RAID groups written across 10 different shelves, the aggregate and the critical volume. Additional damage was found on the aggregate when we discovered that it had been used for two weeks after the infection and data was overwritten.

NetApp’s Secret Weapon

Due to the way NetApp’s proprietary file system WAFL is set up, Kroll Ontrack engineers were able to ‘walk back in time’ and recover the data.  Data recovery on NetApp systems occurs at the aggregate layer. Being WAFL creates checkpoints every 10 seconds, our engineers were able to identify multiple checkpoints and merge the data to provide the customer access to unencrypted copies of their original data.

Victory

Kroll Ontrack’s data recovery expertise combined with NetApp’s technology and data writing methods enabled us to declare victory over the CryptoLocker ransomeware. We were able to find a way to recover unencrypted copies of the data that had been encrypted (and being held for ransom) and returned it to the customer.

Live Recap

Kroll Ontrack engineering teamed up with NetApp to discuss this case along with NetApp’s data protection capabilities and Kroll Ontrack’s enterprise storage recovery offerings.  Click here to watch our webinar and hear the engineer’s perspective on the CryptoLocker ransomware case.

Leave a Reply

Your email address will not be published. Required fields are marked *