Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and still cause destruction. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with frequent as yet unnamed malware, not only encrypt on-line data files but also infiltrate many available system backup. Files synchronized to the cloud can also be corrupted. In a vulnerable environment, it can render automatic recovery impossible and basically knocks the network back to square one.
Getting back programs and information after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to contain and clear the virus and to restore enterprise-critical activity. Since ransomware requires time to replicate, penetrations are usually sprung during weekends and nights, when penetrations are likely to take more time to detect. This multiplies the difficulty of quickly assembling and coordinating a capable mitigation team.
Progent makes available a variety of help services for securing Cleveland enterprises from ransomware attacks. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to identify and extinguish zero-day malware attacks. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the skills and perseverance to restore a breached environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, sending the ransom in cryptocurrency does not ensure that distant criminals will provide the codes to decrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to setup from scratch the critical elements of your IT environment. Without access to full information backups, this requires a wide range of skill sets, professional team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has offered expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise affords Progent the ability to rapidly identify necessary systems and integrate the surviving components of your network environment following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's security team uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of acting quickly and in concert with a customer's management and IT resources to assign priority to tasks and to get the most important applications back on line as soon as possible.
Client Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored hackers, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is one of the most profitable iterations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.
Progent worked hand in hand the customer to quickly assess and assign priority to the essential systems that needed to be addressed in order to resume departmental operations:
In less than two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery on critical applications. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops to recover mail messages. A recent offline backup of the client's accounting software made them able to restore these essential programs back online. Although a lot of work still had to be done to recover fully from the Ryuk event, essential systems were returned to operations quickly:
Throughout the following month critical milestones in the recovery project were accomplished through close collaboration between Progent engineers and the customer:
Conclusion
A possible enterprise-killing disaster was avoided by results-oriented professionals, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here should have been identified and blocked with modern security technology and ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, remediation, and information systems disaster recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Cleveland
For ransomware cleanup consulting in the Cleveland metro area, phone Progent at