Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an existential threat for organizations unprepared for an assault. Different iterations of crypto-ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as daily unnamed viruses, not only encrypt online critical data but also infect all configured system protection. Files synched to off-premises disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can make automated restoration useless and effectively sets the network back to square one.
Recovering programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain the damage, eradicate the ransomware, and restore mission-critical operations. Because ransomware requires time to replicate across a network, attacks are frequently launched at night, when successful penetrations typically take more time to recognize. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.
Progent has a variety of solutions for protecting Greensboro businesses from crypto-ransomware events. Among these are user training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to detect and suppress day-zero malware attacks. Progent also can provide the services of experienced ransomware recovery engineers with the track record and commitment to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to unencrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The other path is to setup from scratch the essential elements of your IT environment. Without the availability of essential data backups, this requires a wide range of IT skills, top notch team management, and the ability to work 24x7 until the task is finished.
For twenty years, Progent has provided professional Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience gives Progent the capability to rapidly understand necessary systems and re-organize the remaining pieces of your computer network system after a crypto-ransomware event and assemble them into a functioning system.
Progent's recovery group has best of breed project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting rapidly and together with a customer's management and IT team members to assign priority to tasks and to get key systems back on line as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Response
A client escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little or no tolerance for disruption and is one of the most profitable examples of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago with about 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for the best, but in the end called Progent.
Progent worked together with the client to rapidly get our arms around and prioritize the essential elements that had to be addressed in order to restart business operations:
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery of essential servers. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Data Files) on staff workstations to recover mail information. A recent off-line backup of the customer's manufacturing systems made them able to restore these essential applications back servicing users. Although a large amount of work remained to recover completely from the Ryuk virus, essential services were restored quickly:
Throughout the following couple of weeks important milestones in the recovery process were made through close cooperation between Progent engineers and the customer:
Conclusion
A potential business-killing disaster was evaded with results-oriented experts, a wide range of IT skills, and close teamwork. Although in hindsight the crypto-ransomware virus attack described here would have been stopped with advanced security solutions and recognized best practices, user and IT administrator training, and appropriate security procedures for information backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and file restoration.
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Greensboro
For ransomware system restoration services in the Greensboro area, call Progent at