Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential danger for businesses poorly prepared for an attack. Different versions of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with frequent unnamed malware, not only perform encryption of online data but also infect many accessible system backup. Information synched to the cloud can also be corrupted. In a poorly designed environment, it can make automatic recovery impossible and basically sets the entire system back to zero.
Getting back online applications and information after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement, remove the ransomware, and restore business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally across a targeted network, assaults are usually launched on weekends, when successful penetrations in many cases take more time to detect. This compounds the difficulty of promptly assembling and organizing an experienced response team.
Progent offers a variety of help services for securing Atlanta enterprises from ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat protection to discover and quarantine day-zero modern malware assaults. Progent also offers the services of seasoned ransomware recovery consultants with the skills and commitment to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will provide the needed keys to unencrypt all your information. Kaspersky ascertained that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to setup from scratch the critical parts of your IT environment. Absent the availability of essential system backups, this requires a broad complement of skills, top notch project management, and the capability to work 24x7 until the job is completed.
For twenty years, Progent has provided professional IT services for businesses across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience affords Progent the capability to rapidly identify critical systems and organize the remaining components of your computer network environment after a ransomware event and assemble them into an operational system.
Progent's security group has best of breed project management tools to coordinate the complicated restoration process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical services back online as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Recovery
A small business engaged Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored hackers, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with limited room for operational disruption and is among the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
Progent worked with the customer to quickly assess and prioritize the most important systems that needed to be restored to make it possible to continue departmental functions:
Within 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery on essential servers. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find intact OST data files (Outlook Offline Folder Files) on staff desktop computers in order to recover mail information. A recent offline backup of the customer's financials/ERP software made it possible to restore these required applications back online. Although significant work remained to recover completely from the Ryuk attack, essential services were recovered rapidly:
During the following couple of weeks critical milestones in the restoration process were made through close collaboration between Progent engineers and the client:
Conclusion
A potential enterprise-killing catastrophe was dodged by hard-working professionals, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident described here should have been stopped with current security technology solutions and NIST Cybersecurity Framework best practices, team education, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and information systems disaster recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Atlanta
For ransomware system recovery consulting in the Atlanta area, phone Progent at