Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyberplague that poses an existential threat for organizations vulnerable to an assault. Different versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more unnamed newcomers, not only encrypt on-line critical data but also infiltrate most accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make any restore operations impossible and effectively knocks the datacenter back to zero.
Getting back online applications and information after a ransomware intrusion becomes a race against time as the targeted organization struggles to contain the damage and cleanup the ransomware and to resume mission-critical operations. Since ransomware needs time to move laterally, attacks are frequently launched on weekends, when successful penetrations typically take longer to notice. This compounds the difficulty of quickly marshalling and orchestrating a knowledgeable response team.
Progent has a range of solutions for securing Chesapeake businesses from ransomware events. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to discover and quarantine day-zero modern malware attacks. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the codes to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The fallback is to re-install the key components of your Information Technology environment. Absent access to full information backups, this requires a broad complement of IT skills, professional team management, and the ability to work continuously until the recovery project is completed.
For decades, Progent has provided certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the ability to efficiently determine necessary systems and consolidate the remaining components of your computer network system after a ransomware penetration and rebuild them into an operational network.
Progent's ransomware team uses best of breed project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of acting rapidly and together with a customer's management and Information Technology team members to prioritize tasks and to get key systems back on-line as fast as possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A client engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, possibly adopting techniques leaked from America's National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is one of the most lucrative versions of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 employees. The Ryuk penetration had frozen all essential operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
Progent worked together with the customer to rapidly determine and prioritize the mission critical systems that had to be restored in order to resume company operations:
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery on the most important applications. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Folder Files) on user workstations to recover email messages. A not too old offline backup of the businesses accounting software made it possible to restore these required programs back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk event, the most important systems were recovered quickly:
Over the following few weeks important milestones in the restoration process were completed in tight cooperation between Progent engineers and the client:
Conclusion
A possible business extinction catastrophe was evaded with hard-working experts, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the ransomware attack detailed here could have been identified and prevented with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, removal, and data disaster recovery.
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Chesapeake
For ransomware system restoration consulting in the Chesapeake area, phone Progent at