Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an extinction-level danger for businesses poorly prepared for an assault. Different versions of ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more as yet unnamed newcomers, not only perform encryption of on-line data files but also infiltrate all available system backup. Data synchronized to off-premises disaster recovery sites can also be ransomed. In a poorly designed environment, it can make automatic recovery hopeless and effectively sets the network back to square one.
Retrieving services and information following a ransomware event becomes a sprint against time as the targeted business fights to contain, eradicate the virus, and resume business-critical operations. Since ransomware needs time to replicate across a targeted network, assaults are usually sprung during weekends and nights, when successful penetrations tend to take longer to recognize. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.
Progent offers a variety of services for securing Charleston enterprises from ransomware attacks. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to detect and extinguish day-zero modern malware attacks. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to setup from scratch the essential elements of your Information Technology environment. Absent access to essential information backups, this calls for a broad complement of skill sets, professional team management, and the willingness to work 24x7 until the job is complete.
For twenty years, Progent has provided certified expert Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine important systems and integrate the remaining pieces of your Information Technology environment after a ransomware penetration and configure them into an operational system.
Progent's recovery team of experts uses top notch project management systems to coordinate the complicated restoration process. Progent knows the importance of working quickly and in concert with a customer's management and Information Technology staff to assign priority to tasks and to put key applications back on-line as soon as possible.
Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A small business contacted Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of using technology leaked from America's NSA organization. Ryuk attacks specific companies with little ability to sustain operational disruption and is among the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has about 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but in the end engaged Progent.
Progent worked with the client to rapidly assess and assign priority to the most important systems that had to be addressed in order to resume company functions:
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on user PCs and laptops in order to recover email data. A recent off-line backup of the businesses accounting software made them able to return these required services back on-line. Although significant work remained to recover completely from the Ryuk attack, core systems were returned to operations quickly:
Over the next few weeks critical milestones in the recovery process were made through close collaboration between Progent consultants and the customer:
Conclusion
A possible business catastrophe was evaded by dedicated experts, a broad array of IT skills, and close teamwork. Although upon completion of forensics the crypto-ransomware penetration described here should have been disabled with current security systems and recognized best practices, user and IT administrator training, and well designed security procedures for information protection and applying software patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and file recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Charleston
For ransomware recovery expertise in the Charleston area, call Progent at