Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an assault. Different versions of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional unnamed malware, not only encrypt on-line data files but also infect many configured system protection. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make any recovery impossible and effectively sets the entire system back to square one.
Getting back applications and information following a crypto-ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to resume mission-critical activity. Because ransomware needs time to move laterally, attacks are usually launched during weekends and nights, when successful penetrations are likely to take more time to uncover. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.
Progent has a range of services for securing Bristol businesses from crypto-ransomware penetrations. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to identify and quarantine zero-day modern malware assaults. Progent also provides the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to rebuild a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to decipher all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to re-install the mission-critical components of your IT environment. Without access to full data backups, this calls for a broad complement of skills, professional project management, and the capability to work 24x7 until the task is completed.
For two decades, Progent has made available professional Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise provides Progent the ability to efficiently understand critical systems and re-organize the remaining pieces of your IT environment following a ransomware penetration and rebuild them into a functioning network.
Progent's recovery group deploys top notch project management tools to orchestrate the complicated recovery process. Progent knows the urgency of working swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put critical applications back on line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Restoration
A customer escalated to Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, suspected of adopting strategies exposed from America's National Security Agency. Ryuk targets specific organizations with little or no tolerance for disruption and is among the most profitable incarnations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but ultimately brought in Progent.
Progent worked hand in hand the customer to quickly determine and prioritize the key services that needed to be recovered to make it possible to restart departmental functions:
Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated rebuilding and storage recovery of key systems. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Offline Folder Files) on team desktop computers to recover mail data. A not too old off-line backup of the client's accounting/ERP systems made it possible to recover these essential applications back online for users. Although major work was left to recover fully from the Ryuk damage, essential systems were recovered quickly:
Over the next month important milestones in the restoration process were completed through close cooperation between Progent team members and the customer:
Conclusion
A possible business extinction catastrophe was dodged through the efforts of hard-working professionals, a broad range of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware attack detailed here would have been identified and disabled with advanced security technology and recognized best practices, team training, and appropriate incident response procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems restoration.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Bristol
For ransomware recovery services in the Bristol area, call Progent at