Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations unprepared for an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with daily unnamed viruses, not only encrypt online files but also infect many available system backups. Files replicated to the cloud can also be corrupted. In a vulnerable data protection solution, this can make any restoration useless and basically sets the datacenter back to zero.
Getting back online applications and data after a ransomware event becomes a sprint against time as the targeted organization struggles to stop the spread, cleanup the ransomware, and resume enterprise-critical activity. Due to the fact that ransomware takes time to move laterally throughout a targeted network, attacks are frequently sprung on weekends, when successful penetrations in many cases take more time to discover. This compounds the difficulty of rapidly assembling and coordinating a knowledgeable mitigation team.
Progent provides a range of solutions for protecting Belo Horizonte organizations from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to discover and quarantine day-zero malware assaults. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware invasion, sending the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will return the keys to unencrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The alternative is to piece back together the essential parts of your IT environment. Absent access to full information backups, this requires a broad complement of IT skills, professional project management, and the ability to work 24x7 until the job is complete.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience provides Progent the ability to quickly determine critical systems and consolidate the remaining pieces of your network system following a ransomware event and assemble them into a functioning system.
Progent's recovery group utilizes state-of-the-art project management tools to orchestrate the complicated restoration process. Progent understands the importance of working rapidly and in unison with a client's management and Information Technology team members to prioritize tasks and to put the most important services back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Incident Response
A business engaged Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly using technology leaked from the United States NSA organization. Ryuk targets specific businesses with little tolerance for operational disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.
Progent worked with the client to rapidly get our arms around and assign priority to the mission critical applications that needed to be restored in order to continue company operations:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then performed setup and storage recovery of mission critical applications. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find local OST files (Outlook Off-Line Data Files) on user workstations in order to recover mail data. A recent offline backup of the customer's financials/ERP software made them able to restore these vital programs back on-line. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical services were recovered rapidly:
During the next couple of weeks key milestones in the recovery process were achieved through close collaboration between Progent engineers and the client:
Conclusion
A potential business-ending catastrophe was avoided through the efforts of hard-working professionals, a broad array of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus penetration detailed here would have been blocked with advanced cyber security systems and best practices, staff training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, remediation, and file restoration.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Belo Horizonte
For ransomware recovery consulting services in the Belo Horizonte area, call Progent at