Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an existential threat for organizations vulnerable to an assault. Versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to cause harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as more unnamed malware, not only do encryption of online files but also infiltrate many accessible system protection. Files replicated to the cloud can also be ransomed. In a poorly designed environment, it can render automated restoration hopeless and effectively sets the entire system back to zero.
Getting back services and data after a crypto-ransomware outage becomes a race against time as the targeted organization fights to stop lateral movement and remove the ransomware and to restore business-critical activity. Since ransomware requires time to move laterally, assaults are usually launched on weekends, when penetrations are likely to take more time to discover. This compounds the difficulty of rapidly marshalling and coordinating a capable mitigation team.
Progent has a range of help services for securing Albany enterprises from crypto-ransomware events. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and suppress day-zero modern malware assaults. Progent in addition can provide the services of veteran ransomware recovery consultants with the skills and perseverance to restore a compromised network as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the needed codes to decipher all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the key components of your Information Technology environment. Without the availability of full information backups, this requires a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the job is done.
For decades, Progent has made available certified expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience provides Progent the ability to knowledgably understand necessary systems and integrate the surviving parts of your Information Technology system after a ransomware penetration and assemble them into an operational network.
Progent's security group deploys powerful project management applications to coordinate the complex recovery process. Progent understands the urgency of working rapidly and in unison with a customer's management and IT resources to assign priority to tasks and to get critical services back on line as fast as possible.
Client Case Study: A Successful Ransomware Incident Restoration
A business engaged Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, suspected of adopting approaches leaked from America's NSA organization. Ryuk goes after specific businesses with little room for disruption and is among the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and praying for good luck, but in the end reached out to Progent.
Progent worked with the client to rapidly get our arms around and assign priority to the mission critical areas that needed to be addressed to make it possible to restart business operations:
In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery of needed servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on various workstations and laptops in order to recover mail information. A not too old off-line backup of the businesses financials/ERP systems made them able to restore these required services back servicing users. Although significant work still had to be done to recover completely from the Ryuk attack, critical services were returned to operations rapidly:
Throughout the following few weeks important milestones in the recovery process were made in tight cooperation between Progent team members and the customer:
Conclusion
A possible business-killing catastrophe was evaded by hard-working professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware attack detailed here would have been stopped with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, user training, and well thought out security procedures for data protection and applying software patches, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Albany
For ransomware cleanup consulting in the Albany area, phone Progent at