Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict damage. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with more unnamed viruses, not only encrypt on-line information but also infect many configured system protection. Files synchronized to the cloud can also be ransomed. In a vulnerable system, it can render any restore operations impossible and effectively knocks the network back to zero.
Retrieving programs and data following a ransomware intrusion becomes a race against time as the victim struggles to stop lateral movement, eradicate the ransomware, and restore enterprise-critical operations. Because ransomware needs time to replicate throughout a network, attacks are often sprung at night, when successful attacks tend to take more time to uncover. This compounds the difficulty of quickly mobilizing and organizing a capable mitigation team.
Progent provides an assortment of help services for securing Cambridge enterprises from crypto-ransomware events. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat defense to detect and suppress zero-day modern malware assaults. Progent in addition provides the assistance of veteran crypto-ransomware recovery engineers with the talent and commitment to restore a compromised environment as soon as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed codes to decipher any or all of your files. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions. The other path is to re-install the critical elements of your IT environment. Without access to essential data backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience affords Progent the skills to knowledgably determine important systems and re-organize the surviving pieces of your network system after a ransomware event and assemble them into a functioning network.
Progent's recovery team of experts deploys best of breed project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to put essential systems back online as fast as possible.
Client Case Study: A Successful Ransomware Incident Response
A client sought out Progent after their network system was penetrated by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no room for disruption and is one of the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with around 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end utilized Progent.
Progent worked together with the customer to rapidly assess and assign priority to the essential systems that needed to be recovered in order to restart company functions:
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery of key servers. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Data Files) on staff workstations and laptops to recover mail information. A recent offline backup of the client's financials/MRP systems made it possible to return these essential services back available to users. Although significant work needed to be completed to recover totally from the Ryuk virus, core systems were recovered quickly:
Throughout the next month important milestones in the recovery project were accomplished through close cooperation between Progent consultants and the customer:
Conclusion
A likely business extinction catastrophe was dodged due to dedicated experts, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus incident described here would have been disabled with advanced cyber security technology solutions and best practices, user education, and well thought out incident response procedures for information backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and file disaster recovery.
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Cambridge
For ransomware recovery consulting services in the Cambridge metro area, call Progent at