Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as additional as yet unnamed viruses, not only do encryption of on-line data but also infect any available system restores and backups. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make automated restore operations hopeless and effectively sets the entire system back to zero.
Restoring applications and information after a ransomware attack becomes a sprint against the clock as the targeted organization struggles to contain and cleanup the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often launched on weekends and holidays, when successful attacks tend to take longer to detect. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.
Progent has an assortment of services for securing Madison organizations from ransomware events. Among these are user training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat protection to identify and extinguish day-zero malware assaults. Progent in addition offers the assistance of expert crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised environment as soon as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the keys to decipher all your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of essential information backups, this requires a wide complement of IT skills, well-coordinated team management, and the capability to work non-stop until the task is done.
For decades, Progent has offered certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently determine critical systems and re-organize the surviving parts of your IT system following a crypto-ransomware event and assemble them into an operational system.
Progent's ransomware group has top notch project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of working quickly and in unison with a customer's management and Information Technology team members to prioritize tasks and to get essential systems back on-line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Recovery
A small business engaged Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, suspected of using algorithms exposed from the United States National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately brought in Progent.
Progent worked together with the customer to quickly determine and prioritize the mission critical areas that had to be recovered in order to restart business functions:
Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery on essential applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Folder Files) on staff workstations and laptops to recover email messages. A not too old offline backup of the customer's manufacturing systems made them able to return these vital services back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, essential services were restored quickly:
Over the following couple of weeks key milestones in the restoration process were made through tight collaboration between Progent team members and the customer:
Conclusion
A likely business catastrophe was dodged by hard-working professionals, a wide array of subject matter expertise, and close teamwork. Although in hindsight the ransomware incident detailed here would have been stopped with modern cyber security systems and security best practices, user training, and well designed incident response procedures for information backup and applying software patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, cleanup, and file restoration.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Madison
For ransomware cleanup consulting in the Madison metro area, call Progent at