Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line data but also infect many accessible system restores and backups. Files synchronized to the cloud can also be ransomed. In a poorly architected data protection solution, it can render automatic restoration hopeless and effectively knocks the entire system back to zero.
Retrieving applications and data after a ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and remove the virus and to restore mission-critical operations. Because ransomware requires time to move laterally, attacks are often launched during weekends and nights, when penetrations may take longer to identify. This compounds the difficulty of quickly mobilizing and orchestrating a capable mitigation team.
Progent makes available a variety of support services for protecting Porto Alegre organizations from crypto-ransomware penetrations. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with machine learning capabilities to rapidly discover and extinguish new cyber attacks. Progent in addition can provide the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to restore a breached system as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed keys to decrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The fallback is to re-install the essential elements of your IT environment. Without access to complete system backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the job is complete.
For two decades, Progent has offered professional IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the capability to efficiently understand critical systems and re-organize the surviving parts of your IT system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's ransomware team of experts deploys best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get essential systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, suspected of using strategies exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited room for disruption and is one of the most profitable iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end brought in Progent.
Progent worked together with the customer to quickly identify and prioritize the most important areas that had to be addressed in order to continue company functions:
In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery on critical systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on various workstations in order to recover email messages. A recent offline backup of the customer’s accounting software made it possible to recover these required applications back online for users. Although a large amount of work remained to recover fully from the Ryuk damage, core systems were returned to operations rapidly:
Over the following few weeks important milestones in the restoration project were achieved through close collaboration between Progent team members and the customer:
Conclusion
A potential business-killing disaster was evaded through the efforts of hard-working experts, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here would have been identified and stopped with current cyber security solutions and security best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Porto Alegre
For ransomware system restoration consulting in the Porto Alegre metro area, call Progent at