Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Versions of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with more unnamed viruses, not only encrypt online data but also infiltrate many accessible system protection. Data replicated to the cloud can also be ransomed. In a vulnerable data protection solution, this can make any recovery hopeless and effectively knocks the entire system back to square one.
Getting back on-line programs and data after a ransomware intrusion becomes a sprint against the clock as the victim tries its best to contain the damage, remove the crypto-ransomware, and resume enterprise-critical operations. Because ransomware takes time to replicate throughout a network, attacks are often launched during weekends and nights, when attacks typically take longer to identify. This compounds the difficulty of promptly mobilizing and organizing a qualified mitigation team.
Progent provides a range of services for securing London enterprises from crypto-ransomware events. Among these are team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat protection to identify and suppress zero-day modern malware assaults. Progent in addition can provide the assistance of expert ransomware recovery consultants with the track record and commitment to rebuild a breached network as soon as possible.
Progent's Ransomware Recovery Help
Following a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the needed codes to decrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The fallback is to setup from scratch the critical elements of your IT environment. Absent access to complete data backups, this requires a wide complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is complete.
For twenty years, Progent has provided certified expert IT services for companies across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience gives Progent the ability to quickly understand important systems and organize the remaining parts of your computer network environment following a crypto-ransomware attack and assemble them into a functioning network.
Progent's ransomware group deploys state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in unison with a customer's management and IT team members to prioritize tasks and to put critical systems back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Incident Recovery
A customer hired Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, possibly using approaches leaked from America's National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end engaged Progent.
Progent worked together with the customer to rapidly get our arms around and prioritize the most important elements that had to be recovered in order to restart company functions:
Within 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and hard drive recovery of mission critical applications. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on various PCs and laptops to recover email messages. A recent offline backup of the customer's manufacturing systems made it possible to return these required programs back available to users. Although a lot of work remained to recover totally from the Ryuk attack, critical systems were restored quickly:
During the next few weeks important milestones in the recovery project were completed in tight cooperation between Progent team members and the client:
Conclusion
A possible business catastrophe was avoided by hard-working professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack described here should have been disabled with modern security solutions and NIST Cybersecurity Framework best practices, team training, and well thought out security procedures for information backup and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, removal, and data disaster recovery.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in London
For ransomware recovery expertise in the London metro area, call Progent at