Ontrack and NetApp Work Jointly and Successfully Against Cryptolocker

25 August 2015 by Michael Nuncic


What is Cryptolocker?

Cryptolocker is one of the most insidious malware types currently in circulation. The malware spreads mainly through emails that are supposedly sent by trusted banks. By opening a document attached to the email, the malicious code is activated and Cryptolocker is installed. This causes internal and external storage media, USB drives, and even network attached storage (NAS) devices to be encrypted so that the data can no longer be accessed. The victims of this extortion then have 72 hours to pay the ransom using Bitcoins. Those who refuse to pay lose their data, often forever.

No one is safe

The fact that not only private users who surf around visiting dubious websites or handle their personal data carelessly are affected by Cryptolocker was found out the hard way by an employee of a pharmaceutical company. As a result, not only was his laptop fully encrypted, but the malicious code infected at the same time virtually almost all Internet-connected volumes of the NetApp FAS file server used. The colleagues of the department concerned were also impeded from accessing their data and the work in the department came to a complete standstill. To make matters worse, the IT department was informed of the infection with the Cryptolocker malware only after the new periodical backup was created.

A total of 46 physical hard drives, 1 NetApp aggregate (with 17 drives) and 1 RAID Double Parity Drive were infected by Cryptolocker. The company concerned brought the infected system to Ontrack‘s Data Recovery lab in New Jersey for comprehensive analysis and subsequent data recovery.

First, the RAID groups, which were distributed in 10 different computer shelves, the NetApp aggregate and the contaminated Double Parity drive were rebuilt. During this task, additional damage to the NetApp aggregate was discovered, which was caused by the fact that it continued to run for two weeks after being infected by Cryptolocker.

Due to the way the NetApp WAFL proprietary data system had been set up, the data engineers were almost able “to go back in time” and recover the data. In a NetApp system, data recovery takes place at the aggregate level. The WAFL file system automatically creates so-called checkpoints every ten seconds. Several of these checkpoints were identified by the engineers and combined in order to enable the company to obtain access to unencrypted copies of the original files.

With the help of our data recovery expertise combined with the underlying NetApp technologies and data writing method, it was thus possible to achieve victory over Cryptolocker, defying the blackmailers and saving important business-critical data from impending loss.