Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause havoc. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional as yet unnamed malware, not only encrypt on-line data files but also infect all available system protection. Data replicated to the cloud can also be rendered useless. In a vulnerable environment, it can make any restore operations hopeless and effectively sets the entire system back to zero.
Retrieving applications and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement, clear the virus, and restore enterprise-critical activity. Since ransomware requires time to replicate across a network, assaults are frequently sprung on weekends and holidays, when successful attacks tend to take longer to recognize. This multiplies the difficulty of quickly mobilizing and coordinating an experienced mitigation team.
Progent provides a variety of help services for securing Buffalo organizations from ransomware penetrations. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to discover and quarantine day-zero modern malware assaults. Progent also offers the services of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to unencrypt all your information. Kaspersky estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The other path is to piece back together the mission-critical components of your IT environment. Without access to full data backups, this calls for a broad range of IT skills, top notch team management, and the capability to work non-stop until the task is done.
For decades, Progent has made available certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience provides Progent the capability to knowledgably understand critical systems and consolidate the surviving pieces of your network system after a ransomware event and assemble them into an operational system.
Progent's ransomware team of experts deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and together with a customer's management and IT staff to prioritize tasks and to put the most important systems back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Virus Response
A customer engaged Progent after their network system was brought down by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, possibly adopting technology exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is among the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding $200K) and hoping for the best, but in the end engaged Progent.
Progent worked with the customer to quickly identify and prioritize the key areas that needed to be restored to make it possible to resume company functions:
In less than two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of critical systems. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on user workstations in order to recover email data. A recent off-line backup of the businesses accounting systems made them able to recover these vital services back on-line. Although major work still had to be done to recover totally from the Ryuk attack, core systems were restored rapidly:
Throughout the next month key milestones in the restoration process were completed through tight collaboration between Progent consultants and the customer:
Conclusion
A probable business-killing catastrophe was dodged through the efforts of results-oriented experts, a broad range of technical expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here should have been disabled with modern cyber security solutions and best practices, user and IT administrator training, and properly executed incident response procedures for information backup and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, cleanup, and data restoration.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Buffalo
For ransomware cleanup consulting services in the Buffalo metro area, call Progent at