Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus more as yet unnamed viruses, not only encrypt on-line files but also infect all available system protection. Files synched to the cloud can also be rendered useless. In a poorly designed data protection solution, it can render automatic recovery impossible and basically knocks the entire system back to zero.
Getting back online services and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted business tries its best to stop the spread and cleanup the ransomware and to restore mission-critical operations. Because ransomware requires time to replicate, penetrations are usually sprung on weekends and holidays, when penetrations in many cases take longer to notice. This multiplies the difficulty of promptly assembling and organizing a knowledgeable mitigation team.
Progent makes available a range of services for protecting Ribeirão Preto businesses from ransomware penetrations. These include team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat defense to detect and disable zero-day modern malware attacks. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the keys to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The fallback is to re-install the key components of your Information Technology environment. Absent the availability of complete system backups, this requires a broad complement of skill sets, professional project management, and the ability to work non-stop until the recovery project is finished.
For decades, Progent has provided professional Information Technology services for companies throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently understand important systems and consolidate the surviving components of your computer network system following a ransomware attack and rebuild them into an operational system.
Progent's ransomware group utilizes best of breed project management systems to coordinate the complex restoration process. Progent understands the importance of working swiftly and in concert with a customer's management and Information Technology staff to prioritize tasks and to put key services back on line as fast as possible.
Customer Case Study: A Successful Ransomware Incident Recovery
A customer sought out Progent after their organization was penetrated by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, possibly adopting algorithms exposed from the U.S. National Security Agency. Ryuk goes after specific companies with limited tolerance for disruption and is one of the most lucrative versions of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has about 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately reached out to Progent.
Progent worked hand in hand the client to quickly get our arms around and assign priority to the essential services that had to be addressed to make it possible to restart departmental operations:
Within 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Data Files) on various desktop computers and laptops in order to recover mail information. A recent offline backup of the businesses accounting systems made them able to recover these required applications back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk attack, critical services were recovered rapidly:
Over the next few weeks key milestones in the recovery process were made through tight collaboration between Progent engineers and the client:
A potential business extinction disaster was avoided with top-tier professionals, a broad range of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware virus incident described here should have been identified and prevented with current cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for data backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Ribeirão Preto
For ransomware cleanup expertise in the Ribeirão Preto area, phone Progent at