Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for organizations vulnerable to an attack. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus more as yet unnamed newcomers, not only encrypt on-line critical data but also infect any configured system protection. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can make automatic restore operations useless and basically knocks the entire system back to zero.
Getting back online services and information following a crypto-ransomware outage becomes a race against time as the targeted business fights to contain and eradicate the ransomware and to resume business-critical activity. Since ransomware needs time to spread, penetrations are frequently sprung during nights and weekends, when penetrations may take more time to identify. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable mitigation team.
Progent provides a variety of support services for protecting Durham organizations from crypto-ransomware penetrations. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat defense to discover and disable zero-day malware attacks. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the keys to decrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to re-install the critical elements of your IT environment. Without the availability of complete information backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work continuously until the recovery project is completed.
For decades, Progent has provided professional IT services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the skills to rapidly understand important systems and consolidate the remaining components of your computer network system after a crypto-ransomware penetration and assemble them into an operational system.
Progent's ransomware group uses state-of-the-art project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of working swiftly and together with a customer's management and Information Technology resources to assign priority to tasks and to put key applications back on line as soon as possible.
Client Case Study: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state sponsored hackers, possibly adopting algorithms leaked from America's NSA organization. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is one of the most lucrative instances of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 employees. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom (exceeding $200,000) and hoping for the best, but ultimately called Progent.
Progent worked with the client to quickly understand and prioritize the mission critical elements that needed to be addressed to make it possible to resume business functions:
Within two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of needed systems. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find intact OST files (Outlook Offline Data Files) on user workstations in order to recover mail data. A not too old offline backup of the client's financials/ERP systems made it possible to return these required programs back servicing users. Although a lot of work was left to recover completely from the Ryuk virus, essential systems were returned to operations rapidly:
Over the following month important milestones in the restoration project were completed through close collaboration between Progent consultants and the client:
Conclusion
A possible business-killing catastrophe was avoided due to dedicated professionals, a broad range of knowledge, and tight teamwork. Although in post mortem the ransomware penetration described here could have been blocked with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and file restoration.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Durham
For ransomware cleanup consulting services in the Durham area, call Progent at