Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses unprepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line data but also infiltrate all accessible system restores and backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can make any recovery useless and basically knocks the datacenter back to zero.
Restoring applications and information after a ransomware attack becomes a race against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical activity. Because ransomware requires time to move laterally, penetrations are usually sprung at night, when penetrations may take longer to uncover. This compounds the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent offers a range of solutions for securing Bellevue businesses from crypto-ransomware penetrations. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based threat protection to identify and extinguish zero-day malware attacks. Progent in addition offers the services of veteran ransomware recovery consultants with the track record and commitment to restore a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to unencrypt any of your data. Kaspersky estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the vital components of your Information Technology environment. Without the availability of complete system backups, this requires a broad complement of IT skills, top notch project management, and the ability to work non-stop until the job is done.
For twenty years, Progent has provided certified expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably understand critical systems and organize the remaining pieces of your Information Technology system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's security team has powerful project management applications to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in unison with a customer's management and IT team members to assign priority to tasks and to put critical applications back online as fast as possible.
Client Story: A Successful Ransomware Intrusion Recovery
A small business hired Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, possibly adopting techniques leaked from America's NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is among the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately engaged Progent.
Progent worked with the customer to quickly get our arms around and assign priority to the key applications that had to be restored in order to resume departmental functions:
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed setup and hard drive recovery of mission critical systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email data. A recent offline backup of the businesses financials/ERP software made it possible to return these required applications back online for users. Although major work was left to recover totally from the Ryuk event, essential systems were returned to operations quickly:
Throughout the following few weeks key milestones in the restoration process were made through close collaboration between Progent consultants and the client:
Conclusion
A potential business extinction disaster was dodged with results-oriented experts, a broad array of IT skills, and tight collaboration. Although upon completion of forensics the ransomware penetration described here could have been disabled with up-to-date security solutions and NIST Cybersecurity Framework best practices, staff training, and appropriate security procedures for information protection and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Bellevue
For ransomware system recovery services in the Bellevue metro area, phone Progent at