Harrowing Experience of a Midwestern City Hit by Ryuk Ransomware

This Midwestern city may not have heard about Ryuk ransomware, but in January 2020, they learned about the malware firsthand. In a recent blog post by Crowdstrike, Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware, they defined Ryuk ransomware. WIZARD SPIDER created it – a sophisticated Russian-based eCrime group. They’ve been targeting large organizations for high ransomware payments. But in January, Ryuk ransomware also struck this small city.

The Attack

Staff members may have clicked on a link in an email, causing the infection. No one knows for sure how they first got infected, or how long the malware was dormant while the criminals waited to strike. What the IT team discovered was that one of their Azure shares was compromised. A hacker was able to access one of the domain controllers and edited a host profile to include a script installing the ransomware across the network. With the new policy in place, upon login, a startup script automatically executed, which began to encrypt all the system files. This policy was automatically pushed out to all Windows machines, both physical and VMs.

Employees were locked out of their systems – unable to access any of their files. Users received a message instructing them to send an email to a particular email address to learn how they could recover their data. The entire city was shut down, and the Governor contemplated declaring a state of emergency.

IT, Datrium, and the FBI Join Forces

The IT team quickly sprang into action to work on recovery. They built a war room, called in Datrium Support, and contacted the FBI. The FBI instructed the team to shut down everything, including the Datrium DVX system, so nothing new could be infected. This recommendation was part of the cautious approach the team took, but it isn’t actually required when a customer is using Datrium DVX to recover.

The Datrium Support team quickly got involved. With built-in backup and immutable snapshots, they searched for a clean snapshot. The team looked at the change rate of data and were able to spot an anomaly in the unique snapshot size starting Monday afternoon. It looked something like the following image:


Ransomware Caused An Anomaly in Unique Snapshot Size

They were able to see unusually large amounts of data being created, which was caused by the Ryuk ransomware encrypting the data.

The Golden Image

The team decided to analyze the snapshots that were created on Sunday at midnight. They picked a random timestamp and powered up the system on a quarantined network. A security team verified that this snapshot did not contain the malware. The team could have continued to look at the snapshots to identify the last clear version, but they decided it was more important to begin the restoration process. This clean immutable snapshot that was taken at midnight on Sunday became the golden image.

Restoring the Environment

With Datrium DVX, the team could have done a mass update of all of their VMs to restore to this golden image, but the IT team decided to take a more cautious approach. Working with Datrium Support, they prioritized and began restoring individual VMs, each time running an antivirus scanner to confirm the ransomware had not infected them.

Within two days, they were able to restore any VM they wanted and quickly resume normal operations without paying the Ryuk ransomware criminals – thanks to the Datrium Support Team and the DVX built-in immutable snapshots.

Learn More

To learn more about how Datrium can help you recover from ransomware, visit www.datrium.com, and contact us for a demo.

See How We Do It

We can help your organization get modern DR in an easy-to-use SaaS solution that eliminates the cost and complexity of traditional DR solutions. We provide cloud-native, on-demand DR with instant RTO for all your VMware workloads. You can be confident that your data is secure in the cloud or on premises and protected against ransomware attacks.