Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations vulnerable to an assault. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, plus more unnamed newcomers, not only encrypt on-line critical data but also infiltrate many configured system backup. Information synchronized to off-premises disaster recovery sites can also be ransomed. In a vulnerable environment, this can render automated restoration hopeless and effectively knocks the datacenter back to zero.
Getting back online services and information after a crypto-ransomware attack becomes a race against time as the targeted organization fights to stop the spread, remove the ransomware, and restore enterprise-critical activity. Due to the fact that ransomware needs time to replicate across a network, attacks are frequently sprung during nights and weekends, when attacks tend to take longer to recognize. This compounds the difficulty of quickly mobilizing and coordinating a qualified response team.
Progent provides a variety of support services for protecting Arlington organizations from crypto-ransomware attacks. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to detect and extinguish day-zero malware attacks. Progent in addition provides the services of experienced ransomware recovery professionals with the talent and perseverance to rebuild a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the needed keys to unencrypt all your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can reach millions. The alternative is to piece back together the vital parts of your IT environment. Without the availability of full information backups, this requires a broad complement of IT skills, top notch project management, and the capability to work continuously until the job is done.
For decades, Progent has offered certified expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the ability to efficiently understand important systems and integrate the remaining components of your IT system following a crypto-ransomware attack and rebuild them into a functioning system.
Progent's recovery team of experts utilizes state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the importance of acting quickly and in concert with a customer's management and IT staff to assign priority to tasks and to get essential systems back online as soon as possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A client escalated to Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk targets specific organizations with limited ability to sustain disruption and is among the most profitable iterations of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with about 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200K) and hoping for good luck, but in the end made the decision to use Progent.
Progent worked with the client to rapidly understand and assign priority to the mission critical applications that needed to be recovered to make it possible to restart company functions:
Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then charged ahead with setup and storage recovery of needed applications. All Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Folder Files) on user PCs in order to recover mail data. A not too old off-line backup of the client's manufacturing software made them able to recover these vital programs back available to users. Although a large amount of work remained to recover completely from the Ryuk event, essential services were recovered rapidly:
During the following month key milestones in the restoration process were made through tight cooperation between Progent team members and the client:
Conclusion
A possible company-ending disaster was avoided with hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in hindsight the ransomware attack described here would have been prevented with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and data recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Arlington
For ransomware system restoration services in the Arlington metro area, phone Progent at