This malware encrypts the user’s files and withholds the encryption key until you pay the ransom amount. The laptop was connected to the corporate network which allowed the malware to infect a CIFS volume which was set up as a file share on a NetApp FAS. The malware was able to infiltrate the file share and encrypt the majority of the files. The IT team was not notified of the infection until after the backup retention period had expired, meaning that the backup contained only encrypted data. The total impact resulted in inaccessible data on:
To perform the recovery, the aggregate needed to be taken offline, which affected 17 volumes in total.
The engineering team from Ontrack:
An additional challenge on this recovery was that the aggregate was in use for two weeks after the incident occurred which resulted in some data being overwritten.
Leveraging NetApp’s proprietary OS (OnTap) and file system (WAFL), Ontrack engineers used multiple consistency points to “walk back” in time to find and merge unencrypted copies of the critical data to return to the customer. This type of ransomware recovery is only possible on storage like NetApp’s FAS because of the way the data is stored on the volume.