Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses poorly prepared for an attack. Versions of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus frequent as yet unnamed viruses, not only do encryption of online files but also infiltrate all configured system restores and backups. Files synchronized to the cloud can also be rendered useless. In a poorly architected system, this can render automated restore operations useless and effectively sets the entire system back to zero.
Restoring applications and information following a crypto-ransomware event becomes a race against time as the targeted organization tries its best to stop lateral movement and remove the virus and to restore mission-critical activity. Because ransomware requires time to spread, penetrations are frequently launched on weekends, when penetrations typically take longer to recognize. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent makes available a range of help services for protecting Durham enterprises from crypto-ransomware events. These include staff education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning capabilities to intelligently discover and extinguish day-zero cyber attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a breached environment as urgently as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to decrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The alternative is to piece back together the key components of your IT environment. Absent access to full system backups, this calls for a wide range of skill sets, top notch project management, and the willingness to work continuously until the recovery project is over.
For twenty years, Progent has provided professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise affords Progent the ability to knowledgably understand important systems and integrate the remaining parts of your Information Technology system following a crypto-ransomware attack and rebuild them into an operational system.
Progent's recovery group uses best of breed project management applications to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a customer’s management and IT team members to prioritize tasks and to put the most important services back on line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client sought out Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, suspected of adopting technology leaked from the United States National Security Agency. Ryuk goes after specific businesses with little or no room for disruption and is one of the most lucrative incarnations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
Progent worked together with the customer to rapidly determine and assign priority to the critical areas that needed to be restored to make it possible to resume business operations:
In less than two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then helped perform setup and hard drive recovery of essential servers. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on various PCs and laptops to recover email data. A recent offline backup of the client's manufacturing systems made it possible to restore these required applications back available to users. Although significant work still had to be done to recover totally from the Ryuk attack, critical services were recovered rapidly:
Throughout the next few weeks critical milestones in the recovery project were achieved in tight collaboration between Progent consultants and the client:
Conclusion
A likely company-ending disaster was dodged by hard-working experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus penetration described here could have been identified and stopped with current security technology solutions and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and file disaster recovery.
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Durham
For ransomware system restoration services in the Durham area, call Progent at