Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that poses an existential danger for businesses of all sizes unprepared for an assault. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more as yet unnamed malware, not only perform encryption of online information but also infect most available system restores and backups. Files synchronized to off-premises disaster recovery sites can also be rendered useless. In a poorly designed system, this can render automated restoration hopeless and basically sets the network back to zero.
Restoring applications and data after a crypto-ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement, eradicate the virus, and restore business-critical activity. Due to the fact that ransomware needs time to spread across a network, attacks are usually launched during weekends and nights, when penetrations tend to take more time to uncover. This multiplies the difficulty of quickly mobilizing and organizing a capable mitigation team.
Progent has an assortment of help services for protecting Anaheim enterprises from ransomware attacks. These include user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to discover and quarantine zero-day modern malware assaults. Progent in addition can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a breached system as soon as possible.
Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to piece back together the key elements of your IT environment. Absent the availability of essential information backups, this calls for a broad range of IT skills, professional project management, and the capability to work non-stop until the job is completed.
For decades, Progent has made available expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience affords Progent the capability to quickly identify necessary systems and organize the surviving parts of your IT environment following a crypto-ransomware penetration and configure them into an operational system.
Progent's security team of experts has powerful project management applications to coordinate the complex restoration process. Progent knows the urgency of acting quickly and in concert with a customer's management and IT team members to prioritize tasks and to get the most important systems back online as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer hired Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little ability to sustain operational disruption and is among the most lucrative iterations of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately engaged Progent.
Progent worked together with the client to rapidly identify and assign priority to the essential areas that had to be recovered to make it possible to resume company operations:
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and storage recovery on critical systems. All Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on user desktop computers in order to recover email information. A recent off-line backup of the businesses accounting software made it possible to recover these required programs back on-line. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, essential systems were recovered quickly:
During the following few weeks critical milestones in the recovery project were accomplished through tight cooperation between Progent engineers and the customer:
Conclusion
A possible business-ending disaster was avoided through the efforts of dedicated experts, a wide array of technical expertise, and tight collaboration. Although in hindsight the ransomware virus penetration described here would have been blocked with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Anaheim
For ransomware system recovery consulting services in the Anaheim metro area, phone Progent at