I am very pleased to announce that Bitdefender have released a decryption tool for the Revil/Sodinokibi ransomware and it is available for download at the following link https://www.bitdefender.com/blog/labs/bitdefender-offers-free-universal-decryptor-for-revil-sodinokibi-ransomware/.
I have successfully applied the tool on a clients encrypted hard drive with 100% data recovery success albeit some 9 months after the initial attack. The attack which was made possible by a successful compromise of the users password via Remote Desktop.. If you need to access your computer remotely I would definitely recommend altering the default port of 3389 to some more obscure port and hardening the password.
The attack not only encrypted the client’s local hard drives but also their backup drives , the client at the time noticed some odd behaviour and I advised switching the pc off when not in use which did not occur. Since that time we have implemented as many data recovery mitigation techniques as possible including swapping over backup drives at a weekly interval which is made possible using Storagecraft’s ShadowProtect software.
We had some luck in that we had only recently swapped out , 5 months , the main drive as it had a growing number of bad sectors so we could successfully image and recover all data from the failing drive with 100% data recovery success.
As we still had the drive , ps never throw out old hard drives, we could compare the difference between their current drive and the encrypted drive. In fact the methodology to recover the deleted files is quite involved and probably the subject of another blog
As far as restoring the clients data and merging it with their existing setup you cannot use dates as the date created and modified changes at the time of of encryption as well as decryption . I will need to do a direct file and directory comparison between the 2 drives.
Why is this Tool Important for Data Recovery
In June of this year REvil hacked eight MSPs or managed service providers who used a particular type of remote management tool called Kayesa to administer outsourced IT services . The vulnerability used to attack Kaseya servers was about to be patched , however the REvil ransomware gang managed to implement it’s attack in July of this year just before the patch was applied.
The attack occurred at the start of America’s 4 July weekend with Revil partners hacking the vulnerability in the Kaseya VSA remote management service, which is used by approx 35,000 customers. The REvil parners then used their control of Kaseya’s servers to push a hacked software update to Kayesa’s customers who are mostly SME’S
The attack had a devastating effect on companies all over the world. Swedish supermarket chain Coop had to shut approx half of its 800 stores because it’s checkouts stopped working.
Schools and kindergartens in New Zealand were also affected, as were some public administration offices in Romania.
The map below shows where cyber-security firm Kaspersky saw infected computer systems..
While the Revil groups website has disappeared from the dark web , the prevalence of remote attacks has increased with the Covid 19 pandemic and I am increasingly attempting to recover data from encrypted drives. This type of threat is not going to disappear and the adage prevention is better than the cure is definitely true. Data Recovery on encrypted drives can be painstaking.