0481 055 328 [email protected]

I am very pleased to announce that Bitdefender have released a decryption tool  for the Revil/Sodinokibi ransomware and it is available for download at the following link https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/.      

I have successfully applied the tool on a clients encrypted hard drive with 100% data recovery success albeit some 9 months after the initial attack.  The attack which was made possible by a successful compromise of the users password via Remote Desktop..  If you need to access your computer remotely I would definitely recommend altering  the default port of 3389 to some more obscure port and hardening the password. 

The attack not only encrypted the client’s local hard drives but also their backup drives , the client at the time noticed some odd behaviour and I advised switching the pc off when not in use which did not occur.  Since that time we have implemented as many data recovery mitigation techniques as possible including swapping over backup drives at a weekly interval which is made possible using Storagecraft’s ShadowProtect software.

We had some luck in that we had only recently swapped out , 5 months , the main drive as it had a growing number of bad sectors so we could successfully image  and recover all data from the failing drive with 100% data recovery success.

As we still had the drive , ps never throw out old hard drives,  we could compare the difference between their current drive and the encrypted drive. In fact the methodology to recover the deleted  files is quite involved and probably the subject of another blog

As far as restoring the clients data and merging it with their existing setup you cannot use dates as the date created and modified changes at  the time of  of encryption as well as decryption .  I will need to do a direct  file and directory comparison between  the 2 drives.

Why is this Tool Important for Data Recovery

In June of this year REvil  hacked eight MSPs or managed service providers who used a particular type of remote management tool called Kayesa to administer outsourced  IT services . The  vulnerability used to attack Kaseya servers was about to be patched , however the REvil ransomware gang managed to implement it’s attack in July of this year just before the patch was applied.

The attack  occurred at the start of America’s 4 July weekend  with Revil partners hacking the  vulnerability in the Kaseya VSA remote management service, which is used by approx 35,000 customers. The REvil  parners then  used their control of Kaseya’s servers  to push a hacked software update to Kayesa’s customers who are mostly SME’S

The  attack had  a devastating effect on companies all over  the world. Swedish supermarket chain Coop had  to shut approx  half of its 800 stores because  it’s checkouts stopped working.

Schools and kindergartens in New Zealand were also affected, as were some public administration offices in Romania. 

 The map below shows where cyber-security firm Kaspersky saw infected computer systems..

 

While the Revil groups website has disappeared from the dark web , the prevalence of remote attacks has increased with the Covid 19 pandemic and I am increasingly attempting to recover data from encrypted drives. This type of threat is not going to disappear and the adage prevention is better than the cure is definitely true. Data Recovery on encrypted drives can be painstaking.