Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for organizations vulnerable to an assault. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with more as yet unnamed malware, not only encrypt online information but also infect many configured system protection. Data synched to the cloud can also be encrypted. In a vulnerable system, this can make automated restore operations impossible and effectively sets the datacenter back to square one.
Recovering applications and information following a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to stop lateral movement and remove the crypto-ransomware and to resume business-critical operations. Because crypto-ransomware needs time to spread, penetrations are often launched during weekends and nights, when successful attacks may take longer to uncover. This compounds the difficulty of rapidly mobilizing and organizing a qualified response team.
Progent offers a variety of services for protecting Bellevue enterprises from ransomware penetrations. Among these are team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to identify and disable day-zero modern malware attacks. Progent also can provide the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a breached network as soon as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to decrypt all your files. Kaspersky estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to piece back together the vital elements of your IT environment. Absent the availability of full system backups, this requires a wide range of skills, top notch team management, and the capability to work continuously until the job is over.
For two decades, Progent has made available certified expert IT services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience affords Progent the ability to efficiently understand necessary systems and re-organize the surviving parts of your IT environment following a ransomware event and assemble them into an operational network.
Progent's security group utilizes state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the importance of working swiftly and in unison with a client's management and IT resources to assign priority to tasks and to put essential services back on line as fast as possible.
Business Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of adopting technology exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little room for operational disruption and is one of the most lucrative iterations of ransomware viruses. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and praying for good luck, but in the end engaged Progent.
Progent worked hand in hand the client to rapidly identify and prioritize the critical areas that needed to be recovered in order to continue company functions:
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery on essential applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on staff PCs to recover email information. A recent offline backup of the client's accounting/ERP systems made them able to recover these required applications back on-line. Although a large amount of work remained to recover completely from the Ryuk damage, essential services were restored quickly:
Throughout the following couple of weeks important milestones in the restoration process were completed through close collaboration between Progent engineers and the client:
Conclusion
A probable business-killing disaster was dodged through the efforts of top-tier professionals, a broad array of IT skills, and close teamwork. Although in post mortem the ransomware penetration described here could have been identified and disabled with advanced cyber security solutions and ISO/IEC 27001 best practices, team training, and appropriate security procedures for data backup and applying software patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and file restoration.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Bellevue
For ransomware recovery expertise in the Bellevue metro area, call Progent at