Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as additional unnamed malware, not only do encryption of on-line data but also infect any available system backups. Files synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can render automated restoration useless and effectively sets the datacenter back to zero.
Retrieving services and information following a ransomware intrusion becomes a sprint against time as the victim fights to stop lateral movement and eradicate the ransomware and to restore enterprise-critical activity. Because crypto-ransomware needs time to spread, attacks are usually launched at night, when successful penetrations in many cases take longer to uncover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified response team.
Progent makes available an assortment of services for protecting Springfield organizations from crypto-ransomware attacks. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and quarantine zero-day modern malware attacks. Progent in addition offers the services of veteran ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the keys to unencrypt all your data. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The alternative is to re-install the mission-critical parts of your Information Technology environment. Absent access to full information backups, this requires a wide complement of IT skills, top notch team management, and the ability to work non-stop until the task is done.
For decades, Progent has made available expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently determine important systems and organize the remaining pieces of your Information Technology environment following a ransomware event and configure them into an operational network.
Progent's ransomware group utilizes powerful project management systems to coordinate the complex restoration process. Progent appreciates the importance of working rapidly and together with a customer's management and IT staff to assign priority to tasks and to put key services back on line as fast as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Response
A customer engaged Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, possibly using technology exposed from the United States National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain disruption and is one of the most profitable instances of ransomware malware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for the best, but ultimately utilized Progent.
Progent worked together with the client to rapidly determine and prioritize the key elements that needed to be addressed in order to resume departmental functions:
In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery on essential applications. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on user workstations and laptops to recover email messages. A not too old offline backup of the client's accounting software made them able to return these required services back on-line. Although a large amount of work was left to recover completely from the Ryuk event, critical services were recovered rapidly:
Throughout the next few weeks critical milestones in the recovery process were made in tight collaboration between Progent consultants and the customer:
Conclusion
A likely business-ending catastrophe was avoided by results-oriented experts, a wide array of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here should have been shut down with current security technology and security best practices, user and IT administrator training, and properly executed incident response procedures for backup and applying software patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and data recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Springfield
For ransomware system restoration consulting in the Springfield area, phone Progent at