Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses vulnerable to an assault. Different iterations of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with daily as yet unnamed newcomers, not only encrypt online critical data but also infect any available system restores and backups. Information replicated to off-premises disaster recovery sites can also be rendered useless. In a poorly architected system, it can make automatic restoration hopeless and basically sets the datacenter back to square one.
Restoring programs and information following a ransomware intrusion becomes a race against time as the targeted organization tries its best to contain the damage, cleanup the ransomware, and restore mission-critical operations. Since crypto-ransomware requires time to move laterally across a network, attacks are usually launched on weekends, when penetrations tend to take longer to discover. This multiplies the difficulty of quickly assembling and coordinating an experienced mitigation team.
Progent provides a variety of help services for securing Adelaide organizations from crypto-ransomware events. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to identify and suppress day-zero malware assaults. Progent in addition provides the services of seasoned ransomware recovery professionals with the track record and perseverance to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware invasion, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to re-install the critical components of your IT environment. Absent the availability of essential system backups, this calls for a broad range of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is completed.
For two decades, Progent has made available expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the skills to rapidly determine important systems and consolidate the remaining pieces of your network environment following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security group uses top notch project management applications to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get essential applications back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Response
A business escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, suspected of using algorithms exposed from America's National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.
Progent worked hand in hand the customer to quickly get our arms around and prioritize the essential applications that needed to be restored to make it possible to continue departmental functions:
Within 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform setup and storage recovery of needed servers. All Exchange data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover email information. A not too old offline backup of the client's accounting/ERP systems made it possible to return these required applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk virus, essential services were recovered rapidly:
During the following month key milestones in the recovery process were completed through close cooperation between Progent engineers and the customer:
Conclusion
A possible business catastrophe was evaded by results-oriented professionals, a wide array of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus penetration detailed here could have been blocked with modern security technology solutions and NIST Cybersecurity Framework best practices, user education, and well designed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has proven experience in ransomware virus defense, removal, and file restoration.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Adelaide
For ransomware cleanup expertise in the Adelaide area, call Progent at