Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an existential danger for organizations vulnerable to an assault. Versions of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause destruction. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as additional as yet unnamed newcomers, not only perform encryption of online critical data but also infect all configured system backups. Information synched to off-premises disaster recovery sites can also be encrypted. In a vulnerable environment, this can render any restore operations useless and basically knocks the datacenter back to square one.
Restoring applications and data following a ransomware outage becomes a race against the clock as the targeted business struggles to stop lateral movement, cleanup the virus, and restore enterprise-critical activity. Since ransomware needs time to move laterally across a targeted network, attacks are usually sprung during nights and weekends, when penetrations may take more time to identify. This multiplies the difficulty of quickly marshalling and coordinating a capable response team.
Progent offers an assortment of support services for protecting Des Moines organizations from ransomware attacks. These include team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to discover and disable day-zero malware assaults. Progent in addition provides the assistance of seasoned ransomware recovery engineers with the track record and commitment to reconstruct a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the keys to decrypt any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to re-install the critical components of your IT environment. Without the availability of full data backups, this calls for a wide complement of IT skills, well-coordinated team management, and the ability to work 24x7 until the job is complete.
For two decades, Progent has offered expert IT services for companies throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to quickly determine critical systems and consolidate the surviving parts of your computer network environment after a ransomware penetration and configure them into a functioning system.
Progent's ransomware team of experts utilizes top notch project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to get essential systems back on line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, possibly using strategies exposed from the United States NSA organization. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is among the most profitable versions of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the intrusion and were destroyed. The client considered paying the ransom (exceeding $200K) and hoping for good luck, but in the end called Progent.
Progent worked together with the client to quickly identify and prioritize the essential applications that had to be recovered to make it possible to resume company functions:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of critical applications. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Offline Data Files) on various desktop computers to recover email data. A recent off-line backup of the customer's financials/MRP systems made them able to restore these required applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk event, essential services were restored rapidly:
During the following couple of weeks key milestones in the restoration process were completed in close collaboration between Progent engineers and the customer:
Conclusion
A probable business-killing disaster was averted with hard-working professionals, a broad spectrum of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware attack detailed here would have been blocked with up-to-date cyber security solutions and best practices, staff training, and well designed security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and information systems restoration.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Des Moines
For ransomware cleanup consulting in the Des Moines metro area, call Progent at