Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses poorly prepared for an attack. Multiple generations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus daily as yet unnamed newcomers, not only encrypt online data but also infiltrate many configured system restores and backups. Information synched to off-premises disaster recovery sites can also be encrypted. In a poorly architected environment, this can render any restore operations impossible and basically knocks the datacenter back to square one.
Getting back online services and data following a ransomware event becomes a sprint against the clock as the victim fights to contain the damage, remove the ransomware, and restore mission-critical operations. Due to the fact that crypto-ransomware requires time to move laterally throughout a targeted network, penetrations are frequently sprung during nights and weekends, when successful attacks may take more time to notice. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.
Progent provides a range of support services for securing Albany enterprises from ransomware attacks. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to detect and disable day-zero malware assaults. Progent also can provide the services of expert ransomware recovery engineers with the skills and commitment to rebuild a compromised network as soon as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware event, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decipher any or all of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The alternative is to re-install the essential parts of your IT environment. Without access to essential system backups, this requires a wide complement of skill sets, top notch project management, and the ability to work 24x7 until the task is complete.
For twenty years, Progent has offered certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to knowledgably ascertain important systems and integrate the surviving pieces of your network system after a ransomware attack and assemble them into an operational network.
Progent's security team of experts uses state-of-the-art project management tools to coordinate the complicated restoration process. Progent appreciates the importance of working swiftly and together with a client's management and IT resources to assign priority to tasks and to put essential applications back online as fast as possible.
Business Case Study: A Successful Ransomware Virus Response
A business hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting technology exposed from the United States National Security Agency. Ryuk goes after specific organizations with little or no ability to sustain disruption and is among the most profitable examples of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but in the end utilized Progent.
Progent worked with the customer to quickly determine and prioritize the most important applications that needed to be restored to make it possible to resume business operations:
In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on critical applications. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Offline Folder Files) on various workstations and laptops to recover mail data. A recent offline backup of the customer's accounting systems made them able to restore these essential applications back online for users. Although significant work needed to be completed to recover fully from the Ryuk virus, essential services were returned to operations rapidly:
During the next couple of weeks key milestones in the recovery process were accomplished in close collaboration between Progent engineers and the customer:
Conclusion
A potential business extinction catastrophe was evaded with dedicated professionals, a wide array of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware attack described here should have been identified and disabled with up-to-date security systems and ISO/IEC 27001 best practices, user and IT administrator training, and properly executed incident response procedures for data protection and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and data disaster recovery.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Albany
For ransomware system restoration consulting services in the Albany metro area, phone Progent at