Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses unprepared for an assault. Different versions of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus additional unnamed malware, not only do encryption of on-line critical data but also infect all available system backup. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can render any restore operations impossible and basically knocks the network back to zero.
Getting back on-line programs and information following a ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain and cleanup the ransomware and to restore mission-critical operations. Because crypto-ransomware takes time to move laterally, attacks are often launched on weekends and holidays, when penetrations in many cases take more time to notice. This compounds the difficulty of promptly marshalling and coordinating an experienced response team.
Progent provides a variety of help services for securing Austin organizations from ransomware events. Among these are staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to identify and suppress zero-day modern malware attacks. Progent also provides the assistance of experienced ransomware recovery consultants with the talent and commitment to re-deploy a breached system as soon as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the keys to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to piece back together the key elements of your Information Technology environment. Without access to essential information backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work 24x7 until the task is complete.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the ability to knowledgably identify important systems and integrate the remaining pieces of your Information Technology system following a ransomware penetration and assemble them into an operational system.
Progent's recovery group utilizes best of breed project management systems to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back online as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Response
A client engaged Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored hackers, suspected of using strategies leaked from the United States NSA organization. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with about 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end engaged Progent.
Progent worked with the client to quickly assess and assign priority to the key areas that had to be restored to make it possible to continue business functions:
Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of mission critical servers. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover mail messages. A recent offline backup of the businesses accounting systems made them able to restore these required programs back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk virus, critical systems were returned to operations rapidly:
Throughout the next couple of weeks important milestones in the restoration project were completed in tight collaboration between Progent team members and the customer:
Conclusion
A potential business disaster was evaded by hard-working experts, a broad array of IT skills, and close teamwork. Although in post mortem the ransomware incident described here should have been shut down with modern security systems and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, removal, and information systems recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Austin
For ransomware recovery consulting services in the Austin area, call Progent at