Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause damage. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more unnamed malware, not only encrypt on-line data files but also infect many available system backups. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, it can render automated recovery hopeless and effectively sets the network back to zero.
Restoring applications and data after a ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware takes time to move laterally, penetrations are often sprung on weekends and holidays, when successful attacks tend to take more time to notice. This compounds the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent makes available a range of solutions for securing businesses from ransomware attacks. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based threat defense to identify and suppress zero-day malware assaults. Progent in addition offers the assistance of veteran crypto-ransomware recovery engineers with the talent and commitment to rebuild a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the codes to decipher any of your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the critical components of your IT environment. Absent the availability of full system backups, this calls for a wide range of skill sets, top notch project management, and the capability to work continuously until the task is completed.
For twenty years, Progent has offered professional IT services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise affords Progent the skills to efficiently understand critical systems and consolidate the remaining components of your computer network system after a ransomware event and configure them into an operational system.
Progent's security team of experts deploys top notch project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of acting swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get critical services back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Response
A customer sought out Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly using techniques leaked from the U.S. NSA organization. Ryuk targets specific organizations with little or no ability to sustain disruption and is one of the most lucrative incarnations of ransomware malware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 staff members. The Ryuk event had brought down all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.
Progent worked with the client to rapidly get our arms around and prioritize the key services that had to be addressed in order to continue departmental operations:
Within 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery on key servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on staff PCs and laptops to recover mail information. A not too old offline backup of the client's manufacturing systems made them able to return these essential applications back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, core systems were restored rapidly:
During the next month key milestones in the restoration project were accomplished in tight cooperation between Progent engineers and the client:
Conclusion
A possible enterprise-killing catastrophe was averted by hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware virus penetration detailed here would have been shut down with advanced cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information backup and proper patching controls, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and file restoration.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Repair Expertise
For 24-Hour ransomware removal services, contact Progent at