Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyber pandemic that presents an existential danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily as yet unnamed malware, not only encrypt online information but also infiltrate most accessible system protection mechanisms. Information synchronized to off-premises disaster recovery sites can also be corrupted. In a poorly architected system, it can render automatic restoration hopeless and basically knocks the network back to zero.
Restoring services and information following a ransomware attack becomes a race against time as the targeted business tries its best to stop the spread, clear the ransomware, and restore mission-critical activity. Because ransomware requires time to replicate throughout a network, attacks are usually sprung during weekends and nights, when penetrations in many cases take longer to notice. This compounds the difficulty of rapidly marshalling and organizing an experienced mitigation team.
Progent provides a variety of help services for protecting Chatsworth organizations from crypto-ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat protection to identify and disable day-zero malware assaults. Progent in addition provides the services of veteran ransomware recovery engineers with the track record and perseverance to rebuild a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware invasion, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will return the keys to unencrypt any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The other path is to re-install the vital parts of your IT environment. Absent access to complete information backups, this calls for a wide complement of skills, top notch project management, and the willingness to work continuously until the task is done.
For twenty years, Progent has offered professional Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience affords Progent the skills to rapidly determine necessary systems and consolidate the remaining components of your computer network environment following a crypto-ransomware event and rebuild them into a functioning system.
Progent's ransomware team has top notch project management systems to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and together with a client's management and IT team members to assign priority to tasks and to get the most important services back online as fast as humanly possible.
Case Study: A Successful Ransomware Penetration Response
A client engaged Progent after their network system was taken over by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, suspected of using techniques exposed from the United States National Security Agency. Ryuk goes after specific companies with limited tolerance for disruption and is among the most lucrative incarnations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and wishfully thinking for the best, but in the end reached out to Progent.
Progent worked together with the client to rapidly assess and assign priority to the key services that had to be recovered in order to restart business operations:
Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed reinstallations and storage recovery of needed applications. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Offline Data Files) on team desktop computers and laptops to recover email information. A not too old off-line backup of the businesses accounting systems made it possible to return these required services back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk damage, critical systems were recovered rapidly:
Over the next few weeks important milestones in the recovery project were achieved through close collaboration between Progent team members and the customer:
Conclusion
A likely business catastrophe was averted through the efforts of dedicated professionals, a wide range of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus attack detailed here could have been shut down with current security technology and security best practices, team training, and well thought out security procedures for information protection and proper patching controls, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and information systems recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Chatsworth
For ransomware system recovery expertise in the Chatsworth area, call Progent at