Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with daily as yet unnamed viruses, not only do encryption of on-line data but also infect many available system protection mechanisms. Information synchronized to the cloud can also be encrypted. In a vulnerable environment, this can make automated recovery useless and basically knocks the datacenter back to square one.
Restoring services and data after a ransomware intrusion becomes a sprint against the clock as the victim tries its best to contain and cleanup the ransomware and to resume business-critical operations. Because crypto-ransomware needs time to spread, attacks are frequently sprung during weekends and nights, when attacks in many cases take longer to uncover. This compounds the difficulty of rapidly assembling and coordinating an experienced response team.
Progent offers a variety of services for protecting Boise businesses from crypto-ransomware events. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to discover and disable zero-day modern malware attacks. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the skills and commitment to reconstruct a compromised system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to re-install the mission-critical components of your IT environment. Absent access to full system backups, this requires a broad range of skills, top notch team management, and the capability to work 24x7 until the recovery project is over.
For decades, Progent has made available expert Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise provides Progent the capability to rapidly identify necessary systems and re-organize the remaining pieces of your IT system after a ransomware event and assemble them into a functioning network.
Progent's ransomware group uses best of breed project management tools to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get critical services back on-line as soon as possible.
Client Case Study: A Successful Ransomware Attack Recovery
A customer contacted Progent after their network was attacked by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state sponsored hackers, suspected of adopting techniques exposed from the United States NSA organization. Ryuk attacks specific organizations with limited room for operational disruption and is among the most profitable iterations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.
Progent worked hand in hand the client to rapidly understand and assign priority to the critical systems that needed to be restored to make it possible to restart departmental functions:
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery on mission critical systems. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on team desktop computers and laptops to recover mail data. A recent off-line backup of the client's financials/MRP software made it possible to recover these essential services back on-line. Although a large amount of work still had to be done to recover fully from the Ryuk virus, critical systems were returned to operations quickly:
Throughout the following few weeks important milestones in the recovery project were completed through close collaboration between Progent engineers and the client:
Conclusion
A potential business catastrophe was evaded by dedicated professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident described here should have been identified and blocked with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems restoration.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Boise
For ransomware recovery consulting in the Boise metro area, phone Progent at