Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses vulnerable to an attack. Different versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and still inflict harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as frequent unnamed malware, not only do encryption of online critical data but also infect many accessible system backups. Data replicated to the cloud can also be encrypted. In a poorly designed data protection solution, this can make automatic recovery impossible and basically knocks the datacenter back to square one.
Retrieving services and data following a ransomware intrusion becomes a race against the clock as the victim struggles to stop the spread and remove the crypto-ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware requires time to replicate, penetrations are often sprung on weekends and holidays, when successful attacks may take longer to discover. This multiplies the difficulty of promptly assembling and organizing an experienced mitigation team.
Progent has a range of help services for protecting Chesapeake enterprises from ransomware events. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with machine learning technology to rapidly discover and suppress zero-day cyber threats. Progent also provides the services of experienced ransomware recovery consultants with the skills and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to unencrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to re-install the critical elements of your IT environment. Without access to complete system backups, this calls for a wide range of skills, top notch team management, and the ability to work non-stop until the recovery project is complete.
For twenty years, Progent has made available certified expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and organize the surviving parts of your computer network environment following a ransomware attack and configure them into an operational system.
Progent's security group has best of breed project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to put key systems back on line as fast as possible.
Case Study: A Successful Ransomware Attack Response
A small business contacted Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly using algorithms leaked from the United States National Security Agency. Ryuk targets specific companies with little room for operational disruption and is among the most lucrative incarnations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has around 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but ultimately utilized Progent.
Progent worked together with the client to rapidly assess and assign priority to the mission critical services that had to be addressed to make it possible to resume company functions:
Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on key systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Outlook Offline Data Files) on staff workstations to recover mail messages. A recent offline backup of the businesses accounting/ERP software made them able to return these essential programs back available to users. Although significant work remained to recover fully from the Ryuk event, essential systems were recovered rapidly:
Throughout the following month key milestones in the recovery process were completed in close collaboration between Progent engineers and the customer:
Conclusion
A possible business-killing catastrophe was averted due to dedicated professionals, a wide array of technical expertise, and close collaboration. Although in post mortem the ransomware virus attack described here should have been shut down with current cyber security systems and NIST Cybersecurity Framework best practices, user training, and well thought out security procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and file disaster recovery.
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Chesapeake
For ransomware system restoration services in the Chesapeake metro area, phone Progent at