Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for organizations vulnerable to an attack. Multiple generations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as additional unnamed malware, not only encrypt on-line data files but also infiltrate most configured system backups. Data replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, it can make any restore operations hopeless and basically knocks the network back to square one.
Recovering services and data following a crypto-ransomware event becomes a race against time as the victim tries its best to stop the spread, cleanup the virus, and resume mission-critical operations. Since ransomware requires time to move laterally across a targeted network, assaults are frequently launched during weekends and nights, when attacks typically take more time to discover. This compounds the difficulty of quickly assembling and coordinating a qualified mitigation team.
Progent makes available a variety of help services for protecting Liverpool enterprises from ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to detect and disable zero-day malware attacks. Progent also offers the assistance of seasoned ransomware recovery consultants with the track record and commitment to re-deploy a breached system as urgently as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware event, paying the ransom in cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The fallback is to piece back together the critical elements of your Information Technology environment. Absent access to complete information backups, this requires a broad range of skills, professional team management, and the capability to work 24x7 until the recovery project is over.
For decades, Progent has provided professional Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise affords Progent the ability to rapidly determine critical systems and re-organize the surviving components of your IT system following a ransomware penetration and assemble them into an operational network.
Progent's recovery group deploys best of breed project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of acting swiftly and in unison with a customer's management and IT team members to prioritize tasks and to get the most important systems back on line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Recovery
A business sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, suspected of using algorithms leaked from the U.S. NSA organization. Ryuk targets specific businesses with little or no room for operational disruption and is among the most profitable versions of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and hoping for the best, but ultimately called Progent.
Progent worked together with the customer to rapidly identify and assign priority to the key elements that had to be restored in order to continue business operations:
Within two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then accomplished reinstallations and storage recovery on needed servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Folder Files) on team PCs to recover email messages. A not too old offline backup of the client's accounting/ERP systems made them able to return these vital services back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations rapidly:
Over the following couple of weeks critical milestones in the recovery project were completed in close cooperation between Progent engineers and the client:
Conclusion
A potential business disaster was avoided with top-tier experts, a wide spectrum of IT skills, and tight teamwork. Although in post mortem the ransomware virus incident described here should have been stopped with current cyber security solutions and security best practices, user education, and appropriate incident response procedures for backup and applying software patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and information systems recovery.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Liverpool
For ransomware cleanup consulting in the Liverpool area, phone Progent at