Data Recovery from Ransomware Attack

Ontrack’s investment in the development of specialized software allows us to recover data from ransomware-encrypted systems, virtual machines, backup files, tapes, and other storage media.

Ransomware incidents vary on the type of payload, and data recovery can be complex. Ontrack provides the best possible solutions for data recovery success.

Ontrack has invested in the continued development of proprietary software to recover data from ransomware-infected storage systems, virtual machines, backup files, tapes, and other storage media.Ransomware incidents vary on the type of payload, and data recovery can be complex. Ontrack provides the best possible solutions for data recovery success.

Ransomware is a type of malware that encrypts or otherwise locks users out of their files. When users try to access their data, they receive a notice demanding the payment of a ransom to regain its use. Around since the 1980s, the last decade has seen various ransomware trojans crop up, but the real opportunity for attackers has ramped up since the introduction of Bitcoin. This cryptocurrency allows attackers to collect money from their victims without going through traditional channels.

The word ransom comes from English and means ransom and is therefore also called extortion software. In many cases, experts also speak of encryption trojans, since the extortion is based on the fact that the data is inextricably coded and inaccessible to the user. Ransomware fights itself into the system and the user usually notices in shock and contagious panic that its system is no longer accessible.

Ransomware is malware that blocks the operating system or entire server or encrypts existing data. The perpetrators are squeezing their victims by making clear that the data has only been released and made available after a ransom payment.

Ransomware is a form of malware that either blocks access to a computer system or discloses data to a victim online. The attacker demands a ransom for the victim and promises - never to be truthful - to restore access to the payment data.

Since the 1980s, several ransom trojans have appeared in the last ten years, but since the introduction of Bitcoin, the real opportunity for attackers has increased. This cryptocurrency makes it possible for attackers to use cash from their sacrifice to cash in, without using traditional channels.

Those who stand behind ransomware attacks are usually very scammers with experience in computer programming. As a rule, ransomware infects your computer via an email attachment, a network, or an infected browser.

The extension hardly distinguishes itself from the other malicious programs: for example, manipulated websites, a link from a spam email or an existing message about a social network and embedding them in a system. In many cases, the perpetrators send emails that contain a suspected delivery note or collection debt. In truth, the attached file does not contain any relevant information, except the damage code.

Figures from Datto show that ransomware costs businesses on average, $75 billion a year; this includes the ransom itself, subsequent recovery efforts, organizational and IT initiatives to protect the organization from further attacks, as well as downtime, forensic investigation, training costs, restoration, and loss of revenue/productivity. More conservative estimates by Cybersecurity Ventures places ransomware damage at more than $11.5 billion in 2019, which is a startling rise from a modest $325 million four years ago. Whether the figure is $75 billion or $11.5 billion, the devastation is very real to those experiencing ransomware. In May of 2019, for example, the City of Baltimore was shut out of government systems for over a month. Vital systems for vaccine production, ATMs, airports, and hospitals were all impacted. Although the ransomware demand was $76,000, the recovery price tag amounted to nearly $20 million.

Spear-Phishing

The most common delivery system for ransomware is a phishing email that includes an attachment or a link. When the user opens the attachment or clicks the link, the ransomware runs a program that locks the system, and displays a demand for payment. When this happens, the only way to decrypt the data is through a mathematical key only known by the attacker.

There have also been cases where malware will display a message claiming that the user's 'Windows' is locked. The user is then encouraged to call a "Microsoft" phone number and enter a six-digit code to reactivate the system. The message alleges that the phone call is free, but this isn't true. While on the phone calling the fake 'Microsoft', the user racks up long-distance call charges.

Remote access points

McAfee researchers observed while cybercriminals are still using spear-phishing tactics, an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply purchased in underground markets. Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden