Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily as yet unnamed malware, not only encrypt on-line critical data but also infect all available system backup. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, this can render automatic recovery impossible and basically knocks the datacenter back to square one.
Retrieving applications and data after a ransomware intrusion becomes a race against the clock as the victim tries its best to contain the damage and clear the ransomware and to restore business-critical operations. Since ransomware requires time to replicate, attacks are usually sprung on weekends and holidays, when penetrations are likely to take longer to notice. This compounds the difficulty of promptly marshalling and organizing a qualified response team.
Progent provides a range of support services for protecting Edison enterprises from crypto-ransomware penetrations. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI capabilities to rapidly discover and disable day-zero cyber attacks. Progent also offers the assistance of seasoned crypto-ransomware recovery professionals with the talent and perseverance to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will return the codes to unencrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the key components of your IT environment. Without access to essential information backups, this calls for a wide range of skill sets, top notch team management, and the capability to work non-stop until the task is completed.
For two decades, Progent has offered certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the ability to rapidly understand necessary systems and re-organize the remaining pieces of your Information Technology system following a ransomware attack and rebuild them into an operational network.
Progent's recovery team utilizes state-of-the-art project management tools to orchestrate the complex recovery process. Progent understands the importance of acting quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get essential systems back on line as soon as humanly possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A small business engaged Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state cybercriminals, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little room for disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately made the decision to use Progent.
Progent worked with the customer to rapidly determine and assign priority to the key services that had to be restored to make it possible to resume company operations:
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of the most important servers. All Exchange schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover email information. A recent off-line backup of the client's accounting/ERP systems made it possible to restore these vital services back online. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core services were recovered rapidly:
Throughout the following few weeks critical milestones in the restoration project were made in close collaboration between Progent engineers and the customer:
Conclusion
A potential business catastrophe was averted due to hard-working professionals, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack described here should have been identified and prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, staff training, and appropriate security procedures for information protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and file restoration.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Edison
For ransomware cleanup consulting in the Edison metro area, call Progent at