Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus daily as yet unnamed viruses, not only do encryption of online data but also infiltrate most accessible system backup. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make any recovery impossible and effectively sets the datacenter back to zero.
Getting back on-line services and data after a ransomware attack becomes a sprint against the clock as the targeted business tries its best to stop the spread and remove the ransomware and to resume business-critical activity. Since ransomware takes time to move laterally, penetrations are often sprung on weekends, when attacks typically take more time to uncover. This multiplies the difficulty of quickly mobilizing and coordinating a qualified response team.
Progent provides a range of services for securing Albany enterprises from ransomware events. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat defense to detect and extinguish day-zero malware attacks. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and perseverance to re-deploy a breached system as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that distant criminals will return the keys to decrypt all your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to re-install the mission-critical elements of your IT environment. Without the availability of essential system backups, this requires a broad range of skill sets, professional project management, and the ability to work continuously until the job is over.
For decades, Progent has made available certified expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly understand important systems and consolidate the surviving parts of your IT system after a ransomware event and assemble them into an operational system.
Progent's security group uses state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in concert with a client's management and IT resources to prioritize tasks and to get essential services back on-line as fast as possible.
Customer Story: A Successful Crypto-Ransomware Attack Response
A client engaged Progent after their company was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored hackers, possibly adopting strategies exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with little ability to sustain operational disruption and is one of the most lucrative incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end called Progent.
Progent worked with the customer to rapidly understand and assign priority to the essential areas that had to be addressed to make it possible to resume business functions:
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery on mission critical servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Offline Folder Files) on user PCs to recover email messages. A recent offline backup of the customer's manufacturing systems made them able to recover these essential programs back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk event, essential systems were recovered rapidly:
During the following couple of weeks key milestones in the restoration project were achieved through tight cooperation between Progent consultants and the customer:
Conclusion
A potential business disaster was averted with dedicated experts, a broad spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware attack described here would have been blocked with current security technology solutions and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Albany
For ransomware recovery expertise in the Albany area, call Progent at