Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses unprepared for an attack. Different versions of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as frequent as yet unnamed malware, not only encrypt online critical data but also infect most accessible system protection mechanisms. Data replicated to cloud environments can also be ransomed. In a poorly architected system, this can render automatic recovery hopeless and effectively sets the network back to zero.
Retrieving applications and data after a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain the damage, remove the ransomware, and resume mission-critical operations. Due to the fact that crypto-ransomware needs time to replicate throughout a network, penetrations are often sprung at night, when penetrations typically take more time to notice. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable mitigation team.
Progent makes available an assortment of services for protecting Bristol businesses from crypto-ransomware events. Among these are team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and extinguish day-zero malware assaults. Progent also provides the assistance of experienced ransomware recovery professionals with the talent and commitment to restore a compromised network as urgently as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a crypto-ransomware invasion, paying the ransom in cryptocurrency does not ensure that cyber criminals will return the needed keys to unencrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can be in the millions. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without access to complete information backups, this calls for a wide complement of skills, top notch project management, and the willingness to work continuously until the job is done.
For twenty years, Progent has made available professional Information Technology services for companies across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the capability to quickly understand necessary systems and re-organize the remaining components of your IT environment after a ransomware event and rebuild them into a functioning system.
Progent's ransomware group uses powerful project management applications to orchestrate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to get key services back on line as soon as possible.
Customer Story: A Successful Ransomware Attack Restoration
A small business engaged Progent after their network system was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk seeks specific organizations with little or no room for disruption and is among the most profitable incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with about 500 employees. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately utilized Progent.
Progent worked hand in hand the client to rapidly identify and prioritize the most important elements that needed to be recovered in order to restart departmental functions:
Within two days, Progent was able to recover Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops to recover mail messages. A recent offline backup of the customer's accounting/ERP systems made it possible to restore these essential programs back on-line. Although a large amount of work remained to recover fully from the Ryuk attack, the most important systems were restored quickly:
Throughout the next few weeks key milestones in the restoration project were accomplished through close collaboration between Progent consultants and the client:
Conclusion
A potential business-killing catastrophe was averted due to dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus penetration detailed here should have been identified and blocked with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for backup and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and data recovery.
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Bristol
For ransomware recovery expertise in the Bristol area, phone Progent at