Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that presents an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as additional as yet unnamed newcomers, not only perform encryption of online data files but also infect all available system protection mechanisms. Files synchronized to off-premises disaster recovery sites can also be rendered useless. In a poorly architected environment, this can render automatic restore operations hopeless and basically knocks the network back to zero.
Getting back on-line services and data after a ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop the spread, eradicate the ransomware, and resume business-critical activity. Because ransomware requires time to replicate across a network, assaults are frequently launched at night, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of promptly marshalling and coordinating a qualified response team.
Progent offers a variety of help services for protecting Columbus businesses from ransomware penetrations. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to identify and disable zero-day malware attacks. Progent also provides the assistance of veteran ransomware recovery professionals with the skills and commitment to reconstruct a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware invasion, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed keys to unencrypt any of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The alternative is to piece back together the key parts of your Information Technology environment. Absent access to essential data backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the recovery project is done.
For twenty years, Progent has provided professional IT services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience provides Progent the ability to knowledgably ascertain important systems and organize the surviving parts of your network environment after a ransomware penetration and rebuild them into an operational system.
Progent's ransomware team of experts utilizes top notch project management tools to coordinate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a customer's management and Information Technology staff to assign priority to tasks and to get essential services back on line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Attack Response
A business escalated to Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, possibly adopting techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with little room for operational disruption and is one of the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding $200K) and praying for the best, but in the end reached out to Progent.
Progent worked with the customer to rapidly get our arms around and assign priority to the essential systems that had to be addressed to make it possible to resume company functions:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of critical servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover mail data. A recent offline backup of the businesses manufacturing systems made them able to recover these required services back on-line. Although a large amount of work was left to recover fully from the Ryuk virus, core services were returned to operations rapidly:
During the next month important milestones in the recovery process were completed through close collaboration between Progent engineers and the client:
Conclusion
A possible business-ending disaster was evaded with top-tier experts, a broad array of subject matter expertise, and close collaboration. Although in retrospect the ransomware attack described here should have been identified and blocked with current security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for backup and proper patching controls, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Columbus
For ransomware system restoration expertise in the Columbus metro area, call Progent at