Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as frequent as yet unnamed malware, not only do encryption of online data but also infect most configured system backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can render automated recovery impossible and effectively knocks the datacenter back to square one.
Getting back online programs and information after a ransomware attack becomes a race against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to replicate, assaults are usually launched during weekends and nights, when attacks tend to take more time to discover. This compounds the difficulty of quickly assembling and coordinating a capable mitigation team.
Progent has a range of support services for protecting Grand Rapids businesses from ransomware events. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to detect and quarantine zero-day modern malware attacks. Progent in addition can provide the services of seasoned crypto-ransomware recovery engineers with the track record and commitment to rebuild a breached network as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the codes to decrypt any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to piece back together the key components of your Information Technology environment. Without access to essential system backups, this requires a wide range of skill sets, top notch team management, and the ability to work continuously until the job is completed.
For decades, Progent has provided expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently determine important systems and integrate the surviving parts of your network system after a ransomware attack and configure them into an operational system.
Progent's security group has powerful project management tools to orchestrate the complex recovery process. Progent appreciates the urgency of acting quickly and together with a customer's management and IT team members to prioritize tasks and to put key applications back on line as soon as possible.
Client Story: A Successful Crypto-Ransomware Virus Restoration
A client contacted Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with limited tolerance for operational disruption and is one of the most profitable iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the intrusion and were damaged. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.
Progent worked hand in hand the customer to rapidly assess and assign priority to the key services that had to be restored to make it possible to restart departmental functions:
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of critical servers. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Email Offline Folder Files) on staff workstations and laptops in order to recover email information. A not too old offline backup of the customer's manufacturing software made it possible to restore these essential applications back online for users. Although major work remained to recover totally from the Ryuk event, the most important systems were returned to operations rapidly:
Throughout the following month important milestones in the restoration project were achieved through close cooperation between Progent team members and the client:
Conclusion
A potential enterprise-killing disaster was avoided with results-oriented experts, a wide range of knowledge, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here should have been stopped with current cyber security technology solutions and ISO/IEC 27001 best practices, staff education, and well designed security procedures for backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and file recovery.
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Grand Rapids
For ransomware cleanup consulting in the Grand Rapids area, call Progent at