Business Case

Initial assessment

A large construction company in Latinamerica suffered a ransomware attack. Their whole operation was stopped. The Company had severe affections in the accounting and finance department, the design and construction programing system, HR and ERP systems.  Our engineers and technicians accessed the servers previously authorized by the client in order to investigate and verify in detail the structure, type, damage, encryption and family of the Ransomware.

As part of our diagnostics service and in order to advance in the forensic analysis, we were able to examine the result of the encryption in order to offer a guaranteed recovery solution to the client.

Results of the diagnostics process

With the data analyzed through our forensic analysis tools, our engineers were able to determine:

  • Type of intrusion: RDP – Remote Desktop Protocol (most likely originating from Russia).
  • Characteristics of damage: the malware installed presented some kind of conflict with the antivirus, its security systems or even, the same nature of the LOCKBIT 2.0 variant, limiting the encryption attributes and characteristics being implemented during the attack.  The client thus was faced with more than 8 continuous ciphers, combined 2048-bit RSA and AES 512-bit encryption codes, but also damage to the structure of the headers of the files.
  • Type of Ransomware: LOCKBIT 2.0
  • Level of damage: high

The level of damage is different from the characteristics of the damage. The level of damage refers to the extent of damage and processes therefore required to recover the data. In some cases, recover and/or repair processes are needed which was the case for this client.  After running different processes, our team was able to confirm to the client that it was possible to recover the data from this variant.

Decryption process details

In this case, our engineers ran a reverse engineering process that consisted of executing the encryption codes extracted in the forensic and data recovery diagnostics phase, all at the same time and in different vectors or angles of attack using 16 forensic servers of the maximum configuration located in different regions (Verona-Italy, Zagreb-Croatia, Panama, Alicante and Castellón de la Plana in Spain, Santiago de Chile , Mexico) among others. With this we saught to inject randomly the encryption codes by brute force in order to find the exact order of encryption and reverse this process.

We did so successfully for this client, and found the following encryptions:

AES (Advanced Encryption Standard) 128, 256 and 512 bits
RSA (Rivest, Adi Shamir, and Leonard Adleman) of 1024 and 2048 bits DSA (Digital Signature Algorithm) of 2048 bits
256-bit ECC (Elliptic Curve Cryptography)
ECDH (Elliptic curve Diffie – Hellman)
CBC (Cipher-Block Chaining)
XOR (encryption based on the binary XOR operator)
RC4 (Rivest Cipher 4)
SHA-2 (Secure Hash Algorithm – (NSA)) 224, 256, 384 and 512 bits DES (Data Encryption
SHA-2 (Secure Hash Algorithm – (NSA)) 224, 256, 384 and 512 bits DES (Data Encryption Standard)
TEA (Tiny Encryption Algorithm) 64-bit and 128-bit

Vector Number of files

10A8F402-1096: 23,860

78C77227-1096: 617

1CF55239-1096: 195

E6E88485-1096 120

D53E95FB-1096: 15

Total:  24.807

For the recovery process, we then carried out tasks such as digital forensic analysis, reverse engineering, forensic data reconstruction and Cryptography processes.

Recovery results

Our engineers were able to recover 100% of the data and maintain its integrity and confidentiality. The estimated time of recovery for this process was 4 business days, allowing the client to get back in business quickly and cost effectively. Our solution prevented the client from having to pay the ransom and expose the Company to reputational and possible additional extortion risks.

Additionally, we provided the client with a detailed report with recommendations to prevent future attacks or intrusions of any type. These recommendations are offered to our clients at no cost.

Conclusions

Large companies and corporate clients face a critical decision when faced with a ransomware attack.  If they decide to negotiate with cybercriminals, these companies will encounter:

  • Compliance and legal procedures with FBI and authorities
  • Increased exposure and cost result of a second attack or extortion
  • Transfering funds to illegal actors
  • Risk of reputational damage and data exfiltration on the dark web.

On the other hand, our Company offers:

  • 100% legal terms and conditions
  • 100% data recovery guarantee
  • Legal company with operations in Italy, Spain, USA, Mexico, among others.
  • Access to more than 25 forensic engineers and experts capable of offering personalized advice.
  • Savings of up to 60% in the recovery costs and time.

In today´s current economic and political circumstances, always consider a legal, expert advice.  Our company has helped +550 companies recover their data with 100% success rate.  Work with the best.