Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with daily unnamed viruses, not only perform encryption of online data but also infiltrate many available system backups. Data replicated to off-premises disaster recovery sites can also be encrypted. In a poorly architected system, this can render automated restoration hopeless and effectively sets the network back to square one.
Getting back applications and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to contain, clear the virus, and restore enterprise-critical activity. Because ransomware takes time to replicate throughout a targeted network, assaults are often launched during nights and weekends, when attacks may take more time to identify. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.
Progent offers a variety of services for securing enterprises from crypto-ransomware attacks. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based threat defense to discover and disable zero-day modern malware assaults. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to restore a breached environment as quickly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the codes to decipher all your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can reach millions. The fallback is to setup from scratch the vital components of your Information Technology environment. Absent access to complete data backups, this requires a broad complement of skill sets, well-coordinated project management, and the willingness to work continuously until the recovery project is complete.
For decades, Progent has offered professional IT services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience affords Progent the capability to efficiently determine critical systems and organize the remaining components of your network system after a ransomware event and configure them into a functioning system.
Progent's recovery group utilizes powerful project management tools to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put key applications back online as soon as possible.
Client Story: A Successful Ransomware Penetration Restoration
A customer sought out Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, possibly using approaches exposed from the United States NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is among the most lucrative versions of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago with about 500 workers. The Ryuk intrusion had brought down all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client was evaluating paying the ransom (exceeding $200,000) and praying for the best, but ultimately made the decision to use Progent.
Progent worked hand in hand the customer to quickly get our arms around and prioritize the most important applications that had to be addressed to make it possible to restart departmental operations:
In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery on critical systems. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Offline Data Files) on team workstations and laptops in order to recover email data. A not too old offline backup of the client's accounting software made them able to restore these essential services back on-line. Although major work needed to be completed to recover totally from the Ryuk virus, critical systems were returned to operations rapidly:
Over the next couple of weeks key milestones in the restoration process were achieved in close cooperation between Progent team members and the client:
Conclusion
A possible company-ending catastrophe was avoided through the efforts of top-tier professionals, a wide array of technical expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware attack described here would have been identified and blocked with up-to-date security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and data recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Crypto-Ransomware Recovery Expertise
For 24/7 crypto-ransomware recovery help, contact Progent at