Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for organizations vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as daily unnamed malware, not only encrypt online critical data but also infect all configured system backup. Data synched to off-premises disaster recovery sites can also be corrupted. In a poorly architected system, it can render any restoration impossible and basically sets the entire system back to square one.
Getting back applications and data after a ransomware intrusion becomes a sprint against time as the victim tries its best to stop lateral movement, clear the ransomware, and resume business-critical activity. Because ransomware needs time to spread throughout a targeted network, penetrations are frequently launched during weekends and nights, when penetrations in many cases take longer to notice. This multiplies the difficulty of rapidly mobilizing and organizing a qualified response team.
Progent has a range of services for protecting Brooklyn enterprises from ransomware attacks. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and quarantine zero-day modern malware assaults. Progent also provides the services of seasoned crypto-ransomware recovery professionals with the skills and perseverance to restore a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt any or all of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The other path is to setup from scratch the critical components of your IT environment. Without access to complete data backups, this calls for a wide range of IT skills, professional team management, and the capability to work non-stop until the job is complete.
For decades, Progent has offered certified expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the capability to rapidly determine necessary systems and re-organize the surviving components of your Information Technology system after a ransomware event and assemble them into an operational network.
Progent's ransomware group utilizes best of breed project management systems to coordinate the complicated restoration process. Progent understands the urgency of working quickly and together with a client's management and IT staff to prioritize tasks and to get essential services back on line as soon as possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A small business contacted Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly adopting technology exposed from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.
Progent worked hand in hand the customer to quickly identify and prioritize the key elements that needed to be addressed in order to resume departmental functions:
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of essential servers. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers and laptops to recover mail data. A recent off-line backup of the client's accounting systems made it possible to restore these vital programs back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, core services were restored quickly:
Over the next few weeks critical milestones in the restoration process were made in close cooperation between Progent consultants and the customer:
Conclusion
A likely company-ending catastrophe was averted by top-tier professionals, a wide spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware attack described here should have been identified and disabled with current cyber security technology solutions and best practices, staff training, and well designed incident response procedures for backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and information systems recovery.
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Brooklyn
For ransomware system recovery consulting in the Brooklyn area, call Progent at