Crypto-Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations poorly prepared for an attack. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more as yet unnamed malware, not only encrypt online information but also infiltrate most available system backups. Files synchronized to cloud environments can also be rendered useless. In a vulnerable environment, this can make automatic recovery hopeless and basically sets the datacenter back to square one.
Getting back programs and information following a ransomware event becomes a race against time as the victim tries its best to stop the spread, remove the virus, and resume enterprise-critical activity. Due to the fact that ransomware takes time to move laterally across a targeted network, attacks are usually sprung on weekends, when attacks may take more time to recognize. This multiplies the difficulty of promptly assembling and coordinating a qualified mitigation team.
Progent offers a variety of services for protecting Barra da Tijuca enterprises from crypto-ransomware events. Among these are team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and disable zero-day modern malware attacks. Progent in addition provides the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to restore a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Following a crypto-ransomware attack, sending the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Absent access to complete data backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work continuously until the recovery project is over.
For twenty years, Progent has made available certified expert Information Technology services for businesses throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience provides Progent the ability to knowledgably determine necessary systems and organize the remaining pieces of your computer network system after a ransomware penetration and assemble them into a functioning system.
Progent's security group uses best of breed project management applications to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working quickly and together with a client's management and Information Technology resources to assign priority to tasks and to put the most important systems back online as soon as possible.
Client Story: A Successful Ransomware Attack Recovery
A small business escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored criminal gangs, suspected of using approaches exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for operational disruption and is one of the most profitable iterations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk event had frozen all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.
Progent worked together with the customer to quickly get our arms around and prioritize the mission critical elements that needed to be addressed in order to restart company operations:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery on mission critical applications. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Off-Line Data Files) on staff desktop computers and laptops to recover mail information. A not too old offline backup of the businesses accounting systems made it possible to recover these essential applications back servicing users. Although a lot of work remained to recover fully from the Ryuk damage, essential systems were returned to operations rapidly:
During the next few weeks critical milestones in the restoration process were achieved through tight cooperation between Progent engineers and the customer:
Conclusion
A likely business-ending disaster was avoided through the efforts of results-oriented experts, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been identified and blocked with current security technology solutions and security best practices, team education, and properly executed security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Barra da Tijuca
For ransomware system recovery consulting services in the Barra da Tijuca metro area, call Progent at