Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus additional as yet unnamed newcomers, not only encrypt online data but also infiltrate any configured system backups. Files synchronized to cloud environments can also be rendered useless. In a vulnerable system, this can render automatic restore operations impossible and basically knocks the network back to square one.
Retrieving programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume mission-critical activity. Since ransomware requires time to replicate, penetrations are usually sprung on weekends and holidays, when successful penetrations may take longer to discover. This compounds the difficulty of promptly assembling and coordinating a capable response team.
Progent provides a variety of help services for protecting Hartford businesses from ransomware attacks. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to identify and quarantine zero-day modern malware assaults. Progent also offers the services of seasoned ransomware recovery consultants with the track record and commitment to restore a compromised network as rapidly as possible.
Progent's Ransomware Restoration Services
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed codes to decipher any of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The alternative is to setup from scratch the essential parts of your IT environment. Without access to complete data backups, this requires a wide range of skill sets, top notch team management, and the capability to work continuously until the task is done.
For twenty years, Progent has offered professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise gives Progent the ability to quickly ascertain critical systems and re-organize the remaining components of your computer network environment following a ransomware event and assemble them into an operational system.
Progent's recovery team of experts utilizes powerful project management tools to orchestrate the complicated restoration process. Progent understands the urgency of working swiftly and in unison with a customer's management and IT team members to prioritize tasks and to get essential systems back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Attack Response
A customer engaged Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting strategies exposed from the United States National Security Agency. Ryuk targets specific organizations with limited tolerance for operational disruption and is among the most lucrative iterations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were encrypted. The client was evaluating paying the ransom (more than $200,000) and hoping for the best, but in the end engaged Progent.
Progent worked with the customer to quickly assess and assign priority to the critical services that needed to be recovered to make it possible to continue departmental operations:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on mission critical systems. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Offline Data Files) on various PCs to recover mail information. A recent offline backup of the client's financials/ERP systems made them able to restore these required services back online for users. Although significant work needed to be completed to recover totally from the Ryuk virus, essential systems were recovered rapidly:
Over the following month important milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:
Conclusion
A potential business-ending disaster was dodged through the efforts of top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware penetration detailed here could have been identified and disabled with modern security technology and best practices, user and IT administrator education, and properly executed incident response procedures for data protection and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems disaster recovery.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Hartford
For ransomware system recovery consulting services in the Hartford area, call Progent at