Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more as yet unnamed newcomers, not only encrypt on-line critical data but also infect many configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can render any restoration impossible and basically knocks the datacenter back to zero.
Recovering applications and information after a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to resume enterprise-critical operations. Since ransomware requires time to replicate, penetrations are frequently sprung during nights and weekends, when successful penetrations tend to take more time to discover. This compounds the difficulty of quickly marshalling and organizing a qualified response team.
Progent provides an assortment of solutions for securing The Woodlands organizations from ransomware penetrations. These include staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with artificial intelligence technology to intelligently discover and disable zero-day cyber attacks. Progent in addition provides the assistance of expert ransomware recovery professionals with the talent and commitment to restore a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will return the keys to decipher all your files. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to re-install the critical elements of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of skill sets, top notch project management, and the ability to work continuously until the recovery project is finished.
For two decades, Progent has made available professional IT services for businesses throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently determine critical systems and integrate the remaining components of your computer network system after a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team has powerful project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of working swiftly and in unison with a customer’s management and IT staff to prioritize tasks and to put critical services back online as soon as possible.
Business Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from America’s National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for good luck, but in the end reached out to Progent.
Progent worked together with the client to quickly get our arms around and assign priority to the most important services that had to be restored to make it possible to restart company functions:
In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on critical applications. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on various PCs to recover mail messages. A recent offline backup of the client's accounting software made it possible to return these required applications back online. Although a lot of work remained to recover completely from the Ryuk attack, critical systems were returned to operations quickly:
During the next couple of weeks important milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:
Conclusion
A potential business disaster was averted through the efforts of dedicated professionals, a broad spectrum of IT skills, and close teamwork. Although in hindsight the ransomware penetration described here would have been prevented with current cyber security systems and recognized best practices, staff training, and properly executed security procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data recovery.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in The Woodlands
For ransomware recovery expertise in the The Woodlands metro area, phone Progent at