Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Versions of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily unnamed viruses, not only encrypt online data files but also infect any configured system protection mechanisms. Information replicated to the cloud can also be encrypted. In a vulnerable environment, this can render any recovery impossible and effectively knocks the datacenter back to zero.
Getting back online applications and information following a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain the damage, remove the ransomware, and resume mission-critical operations. Because ransomware needs time to spread across a network, attacks are frequently sprung during weekends and nights, when penetrations in many cases take more time to detect. This compounds the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent makes available an assortment of help services for securing Cheyenne businesses from ransomware events. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to detect and extinguish day-zero malware attacks. Progent also offers the assistance of seasoned ransomware recovery engineers with the skills and perseverance to reconstruct a breached environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will provide the needed keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The alternative is to setup from scratch the vital components of your Information Technology environment. Absent the availability of essential system backups, this requires a broad complement of skill sets, well-coordinated team management, and the willingness to work non-stop until the task is complete.
For two decades, Progent has provided professional IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the capability to efficiently identify important systems and integrate the surviving parts of your computer network system after a ransomware penetration and configure them into a functioning system.
Progent's security group uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of working rapidly and in unison with a customer's management and IT resources to prioritize tasks and to get key services back on-line as fast as possible.
Business Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their company was taken over by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state hackers, possibly using algorithms exposed from the United States National Security Agency. Ryuk seeks specific businesses with little room for operational disruption and is among the most lucrative instances of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing processes. The majority of the client's backups had been online at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.
Progent worked together with the client to rapidly assess and assign priority to the most important areas that needed to be recovered in order to continue business functions:
Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery on key applications. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email data. A recent offline backup of the businesses accounting systems made it possible to recover these required applications back on-line. Although significant work was left to recover fully from the Ryuk damage, critical systems were recovered quickly:
During the following few weeks key milestones in the restoration process were achieved in tight cooperation between Progent consultants and the client:
Conclusion
A likely business-killing catastrophe was evaded by dedicated experts, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware incident described here should have been identified and blocked with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for data backup and applying software patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file restoration.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Cheyenne
For ransomware system recovery services in the Cheyenne area, phone Progent at