Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to inflict destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus frequent as yet unnamed malware, not only do encryption of online data files but also infiltrate most available system protection. Files synched to the cloud can also be encrypted. In a poorly architected environment, this can render automated recovery useless and basically knocks the datacenter back to zero.
Getting back programs and data after a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop lateral movement and cleanup the crypto-ransomware and to restore business-critical activity. Because ransomware takes time to replicate, attacks are frequently sprung during weekends and nights, when penetrations typically take more time to detect. This compounds the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent offers an assortment of services for securing Broomfield organizations from crypto-ransomware penetrations. These include team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to discover and extinguish day-zero malware attacks. Progent also can provide the services of experienced crypto-ransomware recovery professionals with the track record and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decipher all your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The fallback is to piece back together the critical components of your IT environment. Absent the availability of essential data backups, this calls for a broad range of skill sets, professional project management, and the ability to work continuously until the job is complete.
For decades, Progent has provided expert IT services for businesses across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to rapidly understand critical systems and consolidate the surviving parts of your computer network environment after a crypto-ransomware event and rebuild them into a functioning system.
Progent's recovery team of experts deploys state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of acting quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get key applications back on line as soon as possible.
Case Study: A Successful Ransomware Incident Response
A customer escalated to Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, possibly adopting techniques leaked from America's National Security Agency. Ryuk attacks specific companies with little ability to sustain disruption and is among the most lucrative incarnations of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 staff members. The Ryuk event had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200K) and hoping for good luck, but in the end brought in Progent.
Progent worked with the client to quickly get our arms around and assign priority to the critical applications that needed to be recovered to make it possible to resume company functions:
In less than two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on critical systems. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on team desktop computers in order to recover email data. A not too old offline backup of the client's financials/MRP systems made them able to restore these required applications back online for users. Although significant work still had to be done to recover totally from the Ryuk attack, the most important services were returned to operations rapidly:
During the next few weeks important milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:
Conclusion
A potential business-ending disaster was averted due to dedicated experts, a broad spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack described here could have been blocked with modern cyber security technology and NIST Cybersecurity Framework best practices, staff training, and properly executed incident response procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and file recovery.
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Broomfield
For ransomware recovery consulting services in the Broomfield metro area, phone Progent at