Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional unnamed newcomers, not only perform encryption of on-line information but also infect most accessible system restores and backups. Information replicated to off-premises disaster recovery sites can also be encrypted. In a vulnerable environment, it can make automated restoration hopeless and effectively sets the network back to square one.
Retrieving services and information after a crypto-ransomware attack becomes a race against the clock as the targeted business tries its best to contain, remove the crypto-ransomware, and resume mission-critical operations. Because ransomware takes time to replicate throughout a targeted network, assaults are usually launched at night, when successful penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating a capable response team.
Progent provides a range of solutions for protecting Chandler businesses from crypto-ransomware attacks. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat protection to discover and extinguish zero-day modern malware attacks. Progent in addition offers the services of veteran ransomware recovery consultants with the talent and perseverance to re-deploy a compromised environment as quickly as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can reach millions. The other path is to re-install the critical components of your Information Technology environment. Without the availability of full information backups, this calls for a wide range of skills, professional project management, and the willingness to work non-stop until the recovery project is done.
For decades, Progent has offered expert Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably determine important systems and integrate the surviving parts of your computer network system following a ransomware event and assemble them into a functioning network.
Progent's recovery team of experts utilizes top notch project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and together with a client's management and Information Technology resources to prioritize tasks and to put essential applications back online as soon as possible.
Case Study: A Successful Ransomware Intrusion Recovery
A business hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, suspected of using technology leaked from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most lucrative instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with around 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and praying for the best, but ultimately called Progent.
Progent worked with the client to rapidly identify and prioritize the mission critical areas that needed to be restored to make it possible to restart departmental operations:
Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery of key applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Off-Line Data Files) on various workstations and laptops in order to recover email information. A recent offline backup of the customer's accounting systems made it possible to recover these essential programs back on-line. Although a large amount of work still had to be done to recover fully from the Ryuk damage, essential services were recovered quickly:
During the next few weeks important milestones in the restoration process were made through tight cooperation between Progent team members and the customer:
Conclusion
A likely company-ending catastrophe was dodged through the efforts of results-oriented experts, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack described here should have been identified and blocked with modern cyber security technology solutions and security best practices, team education, and well designed security procedures for information backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Chandler
For ransomware system recovery consulting services in the Chandler metro area, call Progent at