Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of online files but also infect any available system backup. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can render automatic restore operations impossible and basically knocks the datacenter back to square one.
Getting back online programs and data after a ransomware attack becomes a race against time as the targeted business struggles to stop the spread and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because ransomware needs time to move laterally, attacks are usually sprung on weekends and holidays, when penetrations are likely to take longer to discover. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable response team.
Progent makes available a variety of support services for protecting Cambridge organizations from ransomware events. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat protection to discover and disable day-zero malware attacks. Progent in addition provides the services of veteran ransomware recovery consultants with the track record and commitment to rebuild a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed keys to decrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to setup from scratch the vital components of your IT environment. Absent the availability of complete system backups, this calls for a broad range of IT skills, top notch team management, and the ability to work non-stop until the recovery project is complete.
For twenty years, Progent has offered expert IT services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the ability to efficiently understand necessary systems and integrate the surviving parts of your network environment following a crypto-ransomware event and assemble them into a functioning network.
Progent's security team uses powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of acting quickly and together with a client's management and IT team members to assign priority to tasks and to get critical applications back online as soon as humanly possible.
Client Story: A Successful Ransomware Intrusion Response
A small business contacted Progent after their network was attacked by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, possibly using techniques exposed from the U.S. NSA organization. Ryuk seeks specific organizations with little or no ability to sustain disruption and is one of the most lucrative examples of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the attack and were damaged. The client considered paying the ransom (in excess of $200,000) and praying for good luck, but ultimately made the decision to use Progent.
Progent worked hand in hand the client to quickly assess and prioritize the most important systems that needed to be restored in order to resume company operations:
Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery of needed systems. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Offline Data Files) on various desktop computers to recover email messages. A not too old offline backup of the client's accounting/ERP software made it possible to recover these required services back on-line. Although a large amount of work was left to recover completely from the Ryuk damage, critical services were restored rapidly:
Throughout the next couple of weeks critical milestones in the recovery project were accomplished through tight collaboration between Progent team members and the customer:
Conclusion
A likely business-killing disaster was averted through the efforts of top-tier professionals, a broad array of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration detailed here should have been prevented with current security solutions and NIST Cybersecurity Framework best practices, staff education, and well thought out incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, remediation, and file restoration.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Cambridge
For ransomware cleanup expertise in the Cambridge area, call Progent at