The Company

The case study is based on a software development and managed SaaS company that provides legal software, consulting, and support services to over four hundred U.S. law firms.

The Problem

The client’s systems were encrypted with a variant of Conti ransomware. The ransomware spread across their infrastructure, encrypting their office systems as well as their client’s critical data.

Conti demanded a $4 Million dollar ransom payment to provide the decryption keys needed to restore the client data, which was spread across hundreds of physical and virtual machines.

The client’s internal response team was able to restore several critical virtual machines from backup, but the majority of systems remained encrypted.

Night Lion Security was engaged as the ransomware response vendor to negotiate the ransomware payment with the Conti.

Ransomware Response and Negotiation

As a first step, Night Lion validated the sample recovery keys to ensure successful decryption of the servers. Next, Night Lion’s team worked with the Conti representative, negotiating the ransom down by 90%, bringing the final payment to $400,000.

The Conti team also agreed to provide their method of entry and any specific vulnerability used to exploit the client’s systems.

Confirming Crypto Payment with OFAC

After agreeing to the payment and delivery terms, Night Lion performed the necessary legal and regulatory checks with the Office of Foreign Asset Control (OFAC) to ensure the ransom payment to Conti would not be prohibited.

A review of the wallet provided by Conti found no known affiliation to any OFAC sanctioned cryptocurrency wallets or entities. To further verify that the wallet was not associated with any known OFAC sanctioned wallets, the wallet address was also analyzed it using a third-party blockchain forensics tool, Ciphertrace. If the wallet was associated with any known sanctioned addresses it would be identified on Ciphertrace.

In addition, the ransomware note and format, filename structure, and messaging through Conti’s official online portal provided additional evidence that this group is not related to an OFAC sanctioned entity and/or country.

Facilitating Cryptocurrency for Ransom Payments

Night Lion Security facilitated the cryptocurrency needed to make the ransom payment. Once the payment was received, the decryption keys and requested exploitation information was promptly provided by the Conti representative.

The client was then able to successfully use the keys to decrypt their critical systems and worked to restore access to their clients as quickly as possible.