Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that represents an existential danger for organizations unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict damage. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line files but also infiltrate all available system restores and backups. Information replicated to cloud environments can also be rendered useless. In a poorly architected system, this can render any recovery impossible and basically sets the network back to square one.
Getting back online services and data after a ransomware intrusion becomes a race against the clock as the targeted organization fights to stop lateral movement and cleanup the virus and to resume business-critical activity. Because ransomware needs time to move laterally, penetrations are frequently sprung at night, when attacks in many cases take longer to notice. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable mitigation team.
Progent offers a range of services for protecting Alexandria enterprises from ransomware events. These include team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with machine learning technology to quickly discover and extinguish new cyber attacks. Progent also can provide the services of experienced ransomware recovery engineers with the skills and perseverance to rebuild a compromised network as soon as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt any or all of your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the critical components of your IT environment. Absent the availability of full system backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work continuously until the task is complete.
For two decades, Progent has offered expert IT services for companies across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to rapidly ascertain critical systems and integrate the remaining pieces of your network system following a crypto-ransomware attack and configure them into a functioning system.
Progent's ransomware team of experts uses state-of-the-art project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT staff to prioritize tasks and to put critical systems back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business contacted Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of adopting algorithms exposed from America’s NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most lucrative incarnations of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has about 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200K) and hoping for the best, but in the end brought in Progent.
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the critical systems that had to be restored to make it possible to resume departmental functions:
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery on critical applications. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail data. A not too old offline backup of the customer’s accounting/ERP software made it possible to return these essential services back online for users. Although a large amount of work remained to recover completely from the Ryuk event, core systems were restored rapidly:
Over the next few weeks key milestones in the restoration process were made in close cooperation between Progent consultants and the customer:
Conclusion
A likely enterprise-killing disaster was averted by results-oriented professionals, a wide range of knowledge, and tight teamwork. Although in retrospect the ransomware attack described here would have been prevented with current cyber security technology solutions and best practices, user training, and appropriate security procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and data recovery.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Alexandria
For ransomware system recovery expertise in the Alexandria area, call Progent at