Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that poses an existential danger for organizations poorly prepared for an assault. Different versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with daily as yet unnamed viruses, not only encrypt online files but also infiltrate many configured system backup. Files synched to off-premises disaster recovery sites can also be ransomed. In a poorly designed environment, it can render any restore operations useless and basically knocks the network back to square one.
Getting back on-line programs and data after a ransomware outage becomes a sprint against time as the targeted business struggles to stop lateral movement, clear the ransomware, and resume mission-critical activity. Due to the fact that crypto-ransomware takes time to move laterally across a targeted network, penetrations are often sprung during weekends and nights, when successful attacks typically take more time to uncover. This compounds the difficulty of quickly assembling and organizing an experienced mitigation team.
Progent has a range of solutions for protecting Tucson organizations from ransomware events. Among these are user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat protection to discover and quarantine day-zero modern malware attacks. Progent in addition can provide the services of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a breached network as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to unencrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to re-install the essential elements of your Information Technology environment. Without the availability of complete information backups, this calls for a broad complement of skills, top notch project management, and the capability to work 24x7 until the recovery project is done.
For two decades, Progent has provided expert IT services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the capability to quickly determine necessary systems and organize the remaining pieces of your network system following a ransomware event and assemble them into a functioning network.
Progent's security team of experts utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of working rapidly and in unison with a customer's management and Information Technology staff to prioritize tasks and to put key systems back on line as fast as humanly possible.
Client Story: A Successful Ransomware Incident Response
A customer hired Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of adopting techniques exposed from America's NSA organization. Ryuk targets specific companies with little tolerance for operational disruption and is one of the most profitable incarnations of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.
Progent worked hand in hand the client to quickly determine and prioritize the critical elements that had to be recovered to make it possible to continue company operations:
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed setup and storage recovery on critical applications. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Offline Data Files) on user desktop computers and laptops in order to recover mail messages. A not too old offline backup of the businesses financials/ERP software made it possible to return these vital applications back online. Although a lot of work remained to recover totally from the Ryuk virus, core systems were restored quickly:
During the following few weeks key milestones in the restoration process were made in close cooperation between Progent consultants and the customer:
Conclusion
A possible enterprise-killing catastrophe was averted by top-tier experts, a wide spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware virus penetration detailed here would have been identified and prevented with advanced security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, cleanup, and data restoration.
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Tucson
For ransomware recovery services in the Tucson metro area, phone Progent at