Tokyo, March 13, 2017– Blueshift Data Protection (Blueshift K.K.), a data backup and recovery service pioneer headquartered in Tokyo, Japan, has successfully recovered valuable customer data held for ransom by cyber criminals. “Our Tokyo, Minato-ku customer was just one of the thousands of businesses that fall prey to clicking on a phishing email leading to a ransomware infection,” said Brent Reichow, Blueshift co-founder & CEO. “In many cases, the phishing email looks to have a legitimate attachment in the form of an invoice or notification.”
The Payload – ZEPTO Ransomware
After clicking on the malicious attachment ZEPTO ransomware was installed on the host workstation. Ransomware then encrypted files on the host workstation, network mapped drives (including Dropbox) and the company file server. It was discovered hours later when employees could not access files on the file server. The Inaccessible files on the host workstation and file sever had all been renamed with a .ZEPTO extension.
Files held ransom for bitcoin
The infected host workstation prompted a screen banner on the desktop demanding a payment of bitcoin in exchange for the decryption key. The decryption key promises to allow users to re-access the encrypted files. Faced with this problem, the customer had only two choices, either pay the bitcoin ransom to the cyber criminals or restore from backup. If the ransom was paid, a response can take hours or days, if it comes at all. At this point, our customer contacted Blueshift.
Recovery and lessons learned
The customer was very lucky to have discovered the ransomware infection early as only 20,000 files on the file server had been encrypted, but were spread over the entire directory. “Our customer had been a long time user of our on-site / off-site data protection service so we had multiple versions of their backups both onsite and offsite. We were confident that we could restore their data and get them back to business as usual,” says Reichow.
Disable your daily backups
“As a rule, once you have discovered a ransomware infection you want to immediately disable your daily backup schedule so you don’t end up backing up your encrypted files over your good ones.” This also applies to any replication jobs that may be running.
In a real world ransomware recovery situation, deciding where to restore the files can be challenging. Our customer discovered that their file server did not have enough free space to restore their data, so they needed to use an external hard disk. The files that are not encrypted are usable and should not be overwritten. Encrypted files may need to be kept for incident reporting evidence. Clean up and reorganizing the file server directory can take time.
Prioritize your data for restore
It’s very easy to lose focus when there is a small crisis to deal with. Our customer was getting internal requests for access to files that were encrypted. Decide which department needs access to their files in order of company priority and start the restore process in that order.
Using Blueshift Data Protection service, the customer selected the data to restore and started the recovery process. All customer data was successfully restored from the previous backup and the customer did not have to pay the bitcoin ransom to the cyber criminals.
Fortunately, for our customer we were able to respond and restore in a short period of time.
For more information on ransomware response and best practices please contact us at firstname.lastname@example.org
Blueshift is a leading provider of data protection services delivering secure, on-site/off-site, data backup, recovery and ransomware response services for clients ranging from small, medium-sized to large organizations. Clients rely on us as the last line of defense against ransomware and other zero-day cyber security threats. Delivered as a public or private cloud service, our offerings effectively reduce client costs, decrease the risk and improve service levels in the client’s own IT environment. For more information about Blueshift please access www.dataprotection.jp