Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyberplague that represents an existential threat for organizations unprepared for an assault. Different iterations of crypto-ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus daily as yet unnamed malware, not only do encryption of on-line critical data but also infect most available system protection. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected system, it can make any restoration useless and basically sets the datacenter back to square one.
Getting back applications and information after a ransomware event becomes a sprint against time as the victim struggles to contain and clear the crypto-ransomware and to restore mission-critical operations. Because ransomware needs time to replicate, penetrations are often launched at night, when successful attacks typically take more time to uncover. This multiplies the difficulty of quickly marshalling and orchestrating an experienced mitigation team.
Progent provides a variety of services for securing Chandler businesses from ransomware attacks. Among these are team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to detect and quarantine day-zero modern malware attacks. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and commitment to reconstruct a breached environment as soon as possible.
Progent's Ransomware Restoration Services
After a ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the codes to decipher any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The alternative is to setup from scratch the vital elements of your IT environment. Without the availability of essential data backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the task is over.
For decades, Progent has provided expert Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise affords Progent the ability to quickly understand necessary systems and integrate the surviving pieces of your Information Technology environment following a crypto-ransomware event and rebuild them into a functioning network.
Progent's ransomware team of experts has top notch project management applications to orchestrate the sophisticated restoration process. Progent knows the importance of working quickly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to put key services back online as fast as humanly possible.
Client Case Study: A Successful Ransomware Incident Restoration
A customer sought out Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, suspected of using technology exposed from America's National Security Agency. Ryuk targets specific companies with little ability to sustain disruption and is one of the most profitable instances of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 workers. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's backups had been online at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
Progent worked together with the client to rapidly assess and assign priority to the essential areas that needed to be addressed in order to continue business functions:
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed setup and storage recovery of essential applications. All Exchange data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers and laptops in order to recover mail data. A recent offline backup of the client's manufacturing software made it possible to return these vital applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk attack, critical systems were restored rapidly:
Throughout the next few weeks key milestones in the recovery process were accomplished in tight collaboration between Progent consultants and the client:
Conclusion
A potential business-ending disaster was averted with hard-working experts, a broad array of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus attack detailed here should have been identified and blocked with up-to-date cyber security technology and ISO/IEC 27001 best practices, team education, and appropriate security procedures for data backup and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, removal, and information systems restoration.
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Chandler
For ransomware system restoration consulting services in the Chandler area, phone Progent at