Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed newcomers, not only do encryption of online information but also infect all configured system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render automatic restore operations impossible and basically sets the network back to zero.
Retrieving applications and information following a ransomware attack becomes a sprint against the clock as the victim fights to contain the damage and cleanup the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to spread, penetrations are frequently sprung during weekends and nights, when penetrations may take more time to notice. This multiplies the difficulty of quickly mobilizing and organizing a capable mitigation team.
Progent makes available a range of services for protecting Boston businesses from ransomware penetrations. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat defense to detect and quarantine day-zero modern malware attacks. Progent in addition offers the assistance of veteran ransomware recovery engineers with the talent and perseverance to rebuild a compromised environment as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Absent access to essential system backups, this requires a broad complement of skill sets, professional project management, and the capability to work 24x7 until the job is complete.
For twenty years, Progent has made available professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently determine necessary systems and consolidate the surviving pieces of your computer network environment after a ransomware attack and configure them into an operational system.
Progent's security team utilizes state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to get essential systems back online as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A business sought out Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is one of the most profitable incarnations of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.
Progent worked hand in hand the customer to rapidly understand and prioritize the most important systems that had to be recovered in order to restart departmental operations:
Within 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery on mission critical systems. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover email data. A not too old offline backup of the customer's accounting/ERP systems made it possible to recover these essential programs back on-line. Although significant work remained to recover completely from the Ryuk damage, critical systems were returned to operations quickly:
During the following couple of weeks important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the customer:
Conclusion
A possible company-ending disaster was avoided by results-oriented professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in retrospect the ransomware virus incident detailed here should have been identified and blocked with current cyber security systems and NIST Cybersecurity Framework best practices, team education, and well designed security procedures for data protection and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Boston
For ransomware cleanup expertise in the Boston area, call Progent at