Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level danger for organizations poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more as yet unnamed viruses, not only do encryption of on-line data but also infiltrate all available system protection mechanisms. Files replicated to cloud environments can also be rendered useless. In a poorly designed system, it can make automated restore operations impossible and basically knocks the entire system back to zero.
Getting back on-line applications and information following a ransomware attack becomes a sprint against time as the targeted organization fights to contain the damage and eradicate the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to spread, penetrations are often sprung at night, when attacks typically take more time to discover. This compounds the difficulty of quickly marshalling and organizing a qualified mitigation team.
Progent provides a variety of services for securing Raleigh businesses from ransomware penetrations. These include staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat protection to discover and suppress zero-day modern malware attacks. Progent in addition provides the services of seasoned ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as quickly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to unencrypt any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to setup from scratch the key parts of your IT environment. Without the availability of complete data backups, this calls for a broad complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has offered certified expert Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise affords Progent the capability to knowledgably identify important systems and re-organize the remaining pieces of your Information Technology environment following a ransomware event and rebuild them into an operational network.
Progent's security team of experts uses best of breed project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to put key services back on line as fast as possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A small business escalated to Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly using techniques leaked from America's National Security Agency. Ryuk targets specific organizations with little room for operational disruption and is one of the most lucrative examples of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago with about 500 workers. The Ryuk intrusion had frozen all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and hoping for the best, but in the end made the decision to use Progent.
Progent worked with the customer to rapidly assess and prioritize the essential services that needed to be restored in order to continue business operations:
Within 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then completed reinstallations and hard drive recovery of the most important systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST data files (Microsoft Outlook Offline Data Files) on various desktop computers and laptops in order to recover mail messages. A recent off-line backup of the customer's financials/MRP software made it possible to return these vital services back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, essential systems were returned to operations quickly:
Over the next few weeks critical milestones in the restoration process were achieved through close cooperation between Progent team members and the client:
Conclusion
A probable business-killing disaster was evaded by top-tier professionals, a broad range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here could have been identified and disabled with modern security technology and ISO/IEC 27001 best practices, team training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and information systems recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Raleigh
For ransomware cleanup consulting services in the Raleigh metro area, call Progent at