Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with daily as yet unnamed newcomers, not only perform encryption of on-line data files but also infect many configured system backup. Files synched to off-premises disaster recovery sites can also be ransomed. In a vulnerable system, it can render any recovery useless and basically sets the entire system back to zero.
Recovering services and data following a ransomware attack becomes a sprint against time as the targeted organization fights to contain, remove the ransomware, and restore enterprise-critical activity. Due to the fact that ransomware takes time to move laterally throughout a network, penetrations are usually sprung during weekends and nights, when successful attacks are likely to take longer to identify. This multiplies the difficulty of quickly assembling and coordinating an experienced mitigation team.
Progent offers an assortment of help services for securing Bristol organizations from ransomware attacks. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to detect and extinguish day-zero modern malware assaults. Progent also offers the services of veteran crypto-ransomware recovery consultants with the talent and perseverance to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware invasion, sending the ransom in cryptocurrency does not ensure that merciless criminals will provide the keys to decrypt any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The other path is to setup from scratch the vital parts of your IT environment. Absent access to complete data backups, this calls for a wide range of skill sets, well-coordinated project management, and the capability to work continuously until the job is over.
For twenty years, Progent has provided certified expert Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently identify necessary systems and re-organize the surviving pieces of your network system following a ransomware event and configure them into an operational system.
Progent's recovery team of experts utilizes top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as humanly possible.
Customer Story: A Successful Ransomware Incident Recovery
A client hired Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk targets specific organizations with little tolerance for operational disruption and is one of the most profitable instances of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end utilized Progent.
Progent worked hand in hand the customer to rapidly understand and prioritize the essential applications that had to be restored in order to resume company operations:
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery on critical applications. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover email messages. A recent offline backup of the businesses accounting/MRP software made it possible to restore these essential services back online for users. Although a large amount of work was left to recover completely from the Ryuk attack, critical systems were recovered rapidly:
Over the next few weeks key milestones in the restoration process were achieved in close cooperation between Progent engineers and the client:
Conclusion
A potential business disaster was averted with hard-working professionals, a wide range of IT skills, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here would have been blocked with up-to-date cyber security systems and best practices, staff education, and appropriate incident response procedures for information backup and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, remediation, and file disaster recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Bristol
For ransomware system recovery expertise in the Bristol metro area, call Progent at