+43-1-2360101+49-40-54887560+31 252 621625
Data recovery: Suspected ransomware Trojan Ordinypt encrypts data
Wir übernehmen für Sie die professionelle Wiederherstellung von Daten und haben langjährige Erfahrung mit allen gängigen Systemen.
DIAGNOSIS REQUEST

Data recovery: Suspected ransomware Trojan Ordinypt encrypts data

The attempt to restore the WD My Cloud Mirror was carried out as part of our business service - the successful processing and solution took place within five working days.

13. December 2019

Initial situation: Open email application from "Eva Richter" triggers ransomware

Through a recommendation from the Technical Monitoring Association (TÜV), we received an inquiry from an advertising agency whose RAID system had been infected with the Ordinypt Trojan. The system was infected by opening a malicious attachment (a zip archive) that contained and executed the malware. The Microsoft Outlook e-mail program was used directly on the server so that the ransomware could nest directly on the server, spread and cause immense damage. There was also a NAS data backup, which was also attacked by Ordinypt. It was on a WD My Cloud Mirror network storage.

Diagnosis: rescue attempts and subsequent encryption of the server

In the panic of the cyber attack, the server was subsequently encrypted with GDATA and various data recovery software was installed and executed. A data recovery from the RAID 5 server therefore did not appear promising. It was primarily focused on the backup NAS. The RAID 1 mirroring contained many files with the file extension .Ity9A, which Ordinypt had assigned after encrypting the file. Other data had been partially overwritten by the crypto-Trojan. Accordingly, the optimism of the technicians was initially reserved that the customer would get the data back.  

Brief information on the case study:

  • Hostsystem: IBM X3650 19“ (RAID 5 + Hotspare) and Western Digital WDBWVZ0040JWT-20
  • File system:: ext4
  • Required data: exls, xls, docx, doc, indd, eps, pdf, rar, pptx, ppt, jpg, jpeg, mdb, png

Data recovery: recovery of anonymous deleted files

As part of data recovery, the entire NAS data backup was searched. A large number of deleted files could be found and reconstructed without a file name or structure. In consultation with the customer, the recovered data was classified and evaluated to determine how successful the attempt to restore it was. It turned out that by restoring the anonymous deleted data, almost the entire data loss could be compensated. Even the SQL database could be reconstructed and was functional. The customer had only lost a few days of work and was able to act again promptly after the data recovery by Attingo. 

Trivia:

The blackmailer Trojan Ordinypt is not ransomware in the strict sense: data is encrypted, deleted or overwritten and there is a ransom note; however, after paying the extorted amount, you do not receive a key to retrieve the data. There was a similar approach this year with GermanWiper. Ordinypt is one of the wipers - not ransomware in the strict sense. It is suspected that existing malware that was designed for maximum damage was rewritten and used for ransomware attacks. However, without the firm intention of ever guaranteeing access to the data again.  

Dipl. Ing. Nicolas Ehrschwendner
CEO
+43-1-2360101
+49-40-54887560
+31 252 621625
info@attingo.com WhatsApp Live-Chat Online request
24h-Service 98% rescue success
staatliche Auszeichnung Austria A iso 9001 siegel grau https://www.allianz-fuer-cybersicherheit.de

Attingo-Magazin

Exhibition and conference dates
Blog
Keywords
FAQ - Frequently asked Questions
Case Studies: Data Recovery