Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to inflict damage. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus frequent unnamed viruses, not only encrypt online files but also infiltrate any configured system restores and backups. Files synched to cloud environments can also be corrupted. In a poorly designed environment, it can make any restoration hopeless and effectively sets the entire system back to square one.
Restoring services and data after a crypto-ransomware intrusion becomes a race against time as the targeted organization tries its best to contain, eradicate the ransomware, and resume enterprise-critical operations. Because ransomware requires time to move laterally across a targeted network, attacks are often launched on weekends and holidays, when successful penetrations are likely to take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating an experienced response team.
Progent provides a variety of help services for securing Albany businesses from ransomware penetrations. These include user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat protection to detect and quarantine zero-day malware attacks. Progent in addition offers the assistance of experienced ransomware recovery engineers with the track record and commitment to rebuild a breached network as rapidly as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt all your files. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The other path is to piece back together the critical parts of your Information Technology environment. Without the availability of complete system backups, this requires a broad range of skill sets, top notch team management, and the ability to work continuously until the task is complete.
For two decades, Progent has made available professional IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the skills to quickly determine necessary systems and re-organize the remaining components of your IT environment after a crypto-ransomware attack and assemble them into an operational system.
Progent's ransomware group deploys state-of-the-art project management applications to orchestrate the complicated recovery process. Progent knows the urgency of working swiftly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get critical services back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business contacted Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, possibly using techniques leaked from the United States National Security Agency. Ryuk targets specific companies with little tolerance for operational disruption and is one of the most profitable versions of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for good luck, but ultimately reached out to Progent.
Progent worked hand in hand the client to quickly identify and assign priority to the mission critical services that had to be addressed to make it possible to resume departmental functions:
In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery on needed systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Data Files) on team PCs in order to recover mail messages. A not too old off-line backup of the client's financials/ERP systems made them able to restore these vital programs back available to users. Although significant work was left to recover completely from the Ryuk attack, critical systems were restored quickly:
Throughout the next couple of weeks important milestones in the recovery project were accomplished through tight collaboration between Progent team members and the client:
Conclusion
A possible company-ending disaster was dodged by dedicated experts, a broad range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident described here should have been identified and disabled with advanced cyber security technology solutions and ISO/IEC 27001 best practices, user education, and well designed security procedures for information backup and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and data recovery.
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Albany
For ransomware system restoration consulting services in the Albany metro area, phone Progent at