Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyber pandemic that poses an existential danger for organizations unprepared for an attack. Different iterations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and still cause damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with frequent unnamed newcomers, not only encrypt online critical data but also infiltrate many configured system backups. Data synchronized to cloud environments can also be ransomed. In a vulnerable environment, it can render any restore operations impossible and basically sets the network back to square one.
Getting back online applications and information following a crypto-ransomware outage becomes a sprint against time as the targeted business struggles to stop lateral movement, clear the ransomware, and resume enterprise-critical activity. Because crypto-ransomware takes time to spread across a targeted network, attacks are frequently sprung during nights and weekends, when successful attacks in many cases take more time to recognize. This compounds the difficulty of rapidly mobilizing and orchestrating a capable response team.
Progent offers a range of help services for protecting Durham organizations from ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and suppress day-zero modern malware attacks. Progent in addition can provide the services of expert ransomware recovery consultants with the skills and commitment to rebuild a compromised system as soon as possible.
Progent's Ransomware Restoration Services
After a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The other path is to piece back together the vital parts of your Information Technology environment. Without access to complete system backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work continuously until the task is done.
For twenty years, Progent has offered expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience gives Progent the ability to rapidly determine critical systems and organize the remaining components of your computer network system after a ransomware penetration and configure them into a functioning network.
Progent's security team of experts uses state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the urgency of working rapidly and in unison with a client's management and IT resources to prioritize tasks and to put the most important applications back on-line as soon as possible.
Case Study: A Successful Ransomware Virus Restoration
A client contacted Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state hackers, suspected of using strategies exposed from the U.S. NSA organization. Ryuk seeks specific businesses with limited ability to sustain disruption and is one of the most lucrative incarnations of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately engaged Progent.
Progent worked hand in hand the customer to quickly understand and assign priority to the key areas that had to be recovered in order to continue business functions:
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery of critical systems. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Data Files) on staff desktop computers in order to recover email messages. A not too old off-line backup of the businesses accounting systems made them able to recover these required services back available to users. Although major work still had to be done to recover completely from the Ryuk damage, critical systems were restored rapidly:
During the following month key milestones in the recovery process were accomplished through tight cooperation between Progent engineers and the client:
Conclusion
A possible enterprise-killing catastrophe was averted by hard-working professionals, a wide spectrum of IT skills, and tight teamwork. Although in hindsight the ransomware virus penetration described here could have been identified and prevented with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for backup and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and data restoration.
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Durham
For ransomware recovery services in the Durham metro area, call Progent at