Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that represents an existential danger for organizations vulnerable to an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus frequent as yet unnamed newcomers, not only encrypt on-line data but also infiltrate many accessible system restores and backups. Information synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can render automated recovery impossible and effectively knocks the network back to zero.
Recovering applications and data after a crypto-ransomware attack becomes a race against the clock as the targeted business tries its best to contain the damage and cleanup the virus and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are frequently launched at night, when successful penetrations tend to take more time to uncover. This compounds the difficulty of rapidly assembling and organizing a knowledgeable response team.
Progent has a variety of services for securing Atlanta enterprises from crypto-ransomware events. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to discover and quarantine day-zero malware assaults. Progent also offers the assistance of experienced ransomware recovery engineers with the track record and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the codes to unencrypt any of your information. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to re-install the vital elements of your Information Technology environment. Absent the availability of essential data backups, this requires a wide complement of skill sets, top notch project management, and the capability to work 24x7 until the job is complete.
For decades, Progent has made available professional Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience provides Progent the skills to quickly determine necessary systems and consolidate the surviving parts of your Information Technology system following a ransomware event and rebuild them into an operational system.
Progent's security team utilizes state-of-the-art project management tools to orchestrate the complex recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put critical applications back on line as soon as possible.
Customer Story: A Successful Ransomware Attack Restoration
A customer hired Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, suspected of using techniques leaked from the United States NSA organization. Ryuk targets specific organizations with little ability to sustain operational disruption and is one of the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago and has around 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and praying for the best, but ultimately made the decision to use Progent.
Progent worked hand in hand the customer to quickly understand and assign priority to the mission critical elements that needed to be addressed to make it possible to resume business functions:
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find local OST files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover email data. A recent offline backup of the client's accounting software made it possible to return these essential programs back available to users. Although major work still had to be done to recover totally from the Ryuk attack, critical services were recovered rapidly:
During the next couple of weeks key milestones in the recovery project were completed in close cooperation between Progent consultants and the client:
Conclusion
A possible business-ending disaster was evaded with top-tier experts, a broad array of knowledge, and tight teamwork. Although in retrospect the ransomware attack detailed here would have been shut down with up-to-date cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for backup and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and information systems restoration.
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Atlanta
For ransomware recovery consulting services in the Atlanta area, phone Progent at