Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyber pandemic that represents an existential threat for organizations unprepared for an assault. Multiple generations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with additional as yet unnamed malware, not only encrypt online files but also infect many accessible system protection mechanisms. Information synched to off-premises disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can make any restore operations impossible and effectively sets the network back to square one.
Getting back services and data following a crypto-ransomware event becomes a sprint against the clock as the victim struggles to contain the damage, eradicate the crypto-ransomware, and restore mission-critical operations. Because crypto-ransomware needs time to move laterally throughout a network, assaults are often launched at night, when attacks in many cases take longer to discover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent offers a range of help services for securing Atlanta businesses from crypto-ransomware attacks. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat protection to discover and quarantine day-zero malware attacks. Progent in addition can provide the services of veteran ransomware recovery professionals with the skills and commitment to rebuild a breached system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Help
After a crypto-ransomware invasion, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to decipher any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can be in the millions. The alternative is to re-install the vital parts of your IT environment. Absent the availability of full system backups, this calls for a wide complement of skill sets, top notch team management, and the willingness to work continuously until the task is finished.
For decades, Progent has made available professional IT services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise provides Progent the capability to knowledgably identify important systems and integrate the remaining pieces of your computer network system following a crypto-ransomware attack and configure them into an operational network.
Progent's ransomware team deploys top notch project management applications to coordinate the complex restoration process. Progent appreciates the importance of working rapidly and together with a customer's management and IT team members to assign priority to tasks and to get key applications back online as fast as possible.
Business Case Study: A Successful Ransomware Incident Recovery
A client contacted Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored cybercriminals, suspected of using technology leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is among the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has about 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately engaged Progent.
Progent worked with the client to rapidly assess and prioritize the most important systems that needed to be recovered to make it possible to resume departmental functions:
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then performed setup and hard drive recovery of needed systems. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Data Files) on team workstations and laptops in order to recover mail data. A not too old offline backup of the client's manufacturing systems made it possible to restore these required programs back online for users. Although a lot of work still had to be done to recover fully from the Ryuk virus, the most important services were recovered quickly:
Over the following couple of weeks important milestones in the recovery process were accomplished through tight collaboration between Progent consultants and the customer:
Conclusion
A possible company-ending catastrophe was averted through the efforts of dedicated professionals, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware virus penetration detailed here would have been disabled with up-to-date security solutions and best practices, user training, and properly executed incident response procedures for information protection and applying software patches, the fact is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, removal, and data restoration.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Atlanta
For ransomware system recovery consulting in the Atlanta area, call Progent at