Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyberplague that presents an existential threat for businesses unprepared for an attack. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still inflict damage. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as more as yet unnamed viruses, not only encrypt online information but also infiltrate most configured system protection. Information synchronized to the cloud can also be corrupted. In a poorly designed system, this can render automated restore operations useless and effectively sets the entire system back to zero.
Recovering services and information following a ransomware outage becomes a race against the clock as the victim fights to contain and clear the crypto-ransomware and to resume mission-critical activity. Since crypto-ransomware requires time to spread, assaults are usually sprung on weekends and holidays, when penetrations may take longer to identify. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.
Progent has a range of support services for securing Augusta-Richmond County enterprises from ransomware attacks. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to identify and suppress zero-day malware assaults. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the talent and commitment to reconstruct a breached network as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the keys to decrypt all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to setup from scratch the key parts of your IT environment. Without access to full system backups, this calls for a broad range of skills, top notch team management, and the willingness to work continuously until the task is complete.
For decades, Progent has provided certified expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience provides Progent the skills to rapidly understand important systems and integrate the remaining components of your network system after a crypto-ransomware attack and configure them into an operational network.
Progent's ransomware group utilizes top notch project management systems to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT team members to assign priority to tasks and to put essential applications back on-line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Virus Response
A small business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state cybercriminals, possibly using technology leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited room for disruption and is among the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end brought in Progent.
Progent worked hand in hand the client to rapidly determine and assign priority to the most important elements that had to be recovered in order to continue departmental operations:
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and storage recovery on needed systems. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Data Files) on various PCs and laptops to recover mail data. A not too old offline backup of the businesses financials/MRP systems made it possible to recover these required applications back online. Although significant work was left to recover totally from the Ryuk virus, essential services were returned to operations quickly:
Throughout the next few weeks important milestones in the restoration process were made in close cooperation between Progent consultants and the customer:
Conclusion
A potential business extinction catastrophe was evaded by top-tier professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus attack detailed here should have been identified and blocked with up-to-date security technology and NIST Cybersecurity Framework best practices, user education, and appropriate security procedures for data protection and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and data disaster recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Augusta-Richmond County
For ransomware system restoration consulting in the Augusta-Richmond County metro area, call Progent at