Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyberplague that represents an extinction-level threat for organizations poorly prepared for an attack. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional as yet unnamed malware, not only do encryption of on-line data but also infiltrate many available system protection. Data replicated to the cloud can also be encrypted. In a poorly architected system, this can render automatic restore operations useless and effectively sets the network back to zero.
Retrieving programs and information after a crypto-ransomware event becomes a sprint against time as the victim struggles to stop the spread and clear the virus and to restore enterprise-critical activity. Because ransomware needs time to replicate, attacks are often launched on weekends, when attacks typically take longer to detect. This compounds the difficulty of quickly assembling and orchestrating a capable mitigation team.
Progent provides an assortment of help services for securing Charleston organizations from crypto-ransomware penetrations. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to detect and suppress day-zero malware assaults. Progent in addition offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to rebuild a compromised system as quickly as possible.
Progent's Ransomware Restoration Help
Following a ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the needed keys to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to setup from scratch the mission-critical elements of your IT environment. Absent access to full system backups, this requires a wide range of skills, professional team management, and the capability to work 24x7 until the task is finished.
For twenty years, Progent has offered certified expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the ability to efficiently determine critical systems and organize the surviving parts of your computer network environment after a ransomware attack and rebuild them into a functioning system.
Progent's security team utilizes powerful project management systems to coordinate the complicated restoration process. Progent understands the importance of working rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get the most important applications back on line as fast as possible.
Case Study: A Successful Ransomware Incident Recovery
A client sought out Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly adopting approaches leaked from America's National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most profitable versions of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has around 500 workers. The Ryuk attack had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end called Progent.
Progent worked with the client to quickly assess and assign priority to the essential services that needed to be recovered to make it possible to resume company functions:
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery of essential servers. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops in order to recover mail information. A not too old offline backup of the customer's accounting systems made them able to recover these vital programs back on-line. Although major work remained to recover completely from the Ryuk virus, core systems were returned to operations quickly:
Throughout the next couple of weeks important milestones in the restoration process were made in close collaboration between Progent team members and the client:
Conclusion
A potential company-ending catastrophe was dodged through the efforts of hard-working professionals, a broad range of technical expertise, and tight collaboration. Although in post mortem the ransomware virus attack detailed here would have been identified and disabled with up-to-date security technology and security best practices, user and IT administrator training, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and data recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Charleston
For ransomware cleanup consulting in the Charleston metro area, call Progent at