Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses unprepared for an assault. Different iterations of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line data but also infect all configured system backup. Files synchronized to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can render automatic restore operations impossible and basically knocks the network back to square one.
Restoring applications and data following a ransomware attack becomes a sprint against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched at night, when attacks in many cases take longer to recognize. This compounds the difficulty of promptly marshalling and organizing a capable response team.
Progent provides a range of solutions for protecting Raleigh businesses from crypto-ransomware attacks. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to detect and quarantine day-zero malware assaults. Progent also provides the services of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to piece back together the critical components of your Information Technology environment. Without access to essential information backups, this requires a wide complement of skill sets, professional project management, and the ability to work 24x7 until the recovery project is finished.
For two decades, Progent has provided expert Information Technology services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the skills to efficiently ascertain necessary systems and re-organize the surviving pieces of your Information Technology environment following a crypto-ransomware attack and assemble them into an operational system.
Progent's recovery team has powerful project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to put key services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business sought out Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly adopting approaches exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is one of the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but ultimately brought in Progent.
Progent worked hand in hand the client to quickly get our arms around and prioritize the key services that needed to be addressed in order to continue departmental functions:
Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery of critical applications. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on user desktop computers in order to recover email messages. A not too old off-line backup of the businesses accounting/MRP software made them able to restore these vital applications back available to users. Although a large amount of work remained to recover totally from the Ryuk attack, essential services were restored rapidly:
Over the following few weeks critical milestones in the restoration process were made in tight cooperation between Progent team members and the client:
Conclusion
A possible business-killing catastrophe was averted through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware attack detailed here would have been identified and prevented with up-to-date security systems and recognized best practices, user and IT administrator training, and properly executed incident response procedures for information protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data disaster recovery.
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Raleigh
For ransomware system recovery services in the Raleigh metro area, phone Progent at