Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional unnamed malware, not only encrypt on-line files but also infect many configured system protection mechanisms. Files replicated to the cloud can also be rendered useless. In a poorly designed data protection solution, it can make automated restore operations impossible and basically knocks the entire system back to square one.
Recovering applications and data following a ransomware intrusion becomes a sprint against the clock as the victim fights to contain the damage and remove the ransomware and to restore mission-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are frequently sprung during nights and weekends, when successful attacks may take longer to uncover. This compounds the difficulty of rapidly assembling and orchestrating a capable mitigation team.
Progent offers a range of solutions for securing Madison enterprises from crypto-ransomware attacks. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat defense to discover and suppress day-zero modern malware assaults. Progent also can provide the services of experienced ransomware recovery engineers with the track record and perseverance to restore a compromised environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decipher all your files. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Absent access to essential system backups, this calls for a broad range of IT skills, professional project management, and the capability to work continuously until the job is done.
For twenty years, Progent has made available certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise gives Progent the ability to quickly ascertain important systems and integrate the surviving parts of your IT environment after a ransomware event and configure them into a functioning network.
Progent's recovery team of experts has state-of-the-art project management tools to coordinate the complex recovery process. Progent knows the importance of working quickly and in concert with a customer's management and IT staff to assign priority to tasks and to put the most important services back on line as fast as possible.
Client Story: A Successful Ransomware Virus Restoration
A customer escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is among the most profitable instances of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (more than $200K) and hoping for good luck, but in the end engaged Progent.
Progent worked with the customer to quickly identify and prioritize the critical systems that needed to be restored in order to resume departmental operations:
Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed reinstallations and hard drive recovery of critical systems. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Offline Data Files) on various PCs in order to recover mail information. A not too old off-line backup of the businesses accounting/ERP software made it possible to restore these required applications back online for users. Although significant work remained to recover fully from the Ryuk attack, critical systems were restored quickly:
Over the next couple of weeks important milestones in the restoration project were made through tight cooperation between Progent team members and the customer:
Conclusion
A possible business extinction disaster was avoided with dedicated experts, a wide range of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware penetration detailed here should have been disabled with current security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, removal, and information systems recovery.
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Madison
For ransomware system restoration consulting services in the Madison area, phone Progent at