Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Different iterations of crypto-ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus frequent unnamed viruses, not only encrypt online data but also infect all accessible system backup. Information synched to off-premises disaster recovery sites can also be corrupted. In a poorly architected system, this can render automated recovery impossible and effectively sets the entire system back to square one.
Getting back online programs and information after a crypto-ransomware intrusion becomes a race against time as the targeted organization struggles to contain the damage, cleanup the ransomware, and resume mission-critical operations. Since ransomware requires time to spread throughout a network, attacks are often launched at night, when penetrations are likely to take more time to detect. This multiplies the difficulty of rapidly marshalling and coordinating an experienced mitigation team.
Progent offers a variety of support services for protecting Madison businesses from ransomware penetrations. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and quarantine day-zero malware assaults. Progent in addition can provide the services of veteran ransomware recovery consultants with the talent and commitment to restore a compromised environment as quickly as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decrypt any of your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The fallback is to re-install the essential components of your Information Technology environment. Without the availability of essential data backups, this calls for a broad complement of skill sets, professional project management, and the capability to work non-stop until the job is over.
For twenty years, Progent has offered professional IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently ascertain critical systems and integrate the remaining components of your Information Technology system after a ransomware event and rebuild them into an operational network.
Progent's security team of experts deploys powerful project management tools to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and together with a customer's management and IT team members to assign priority to tasks and to put critical systems back on-line as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Attack Recovery
A client sought out Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with limited tolerance for operational disruption and is among the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end utilized Progent.
Progent worked with the customer to quickly understand and prioritize the mission critical services that had to be recovered to make it possible to continue departmental operations:
Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery on essential servers. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to locate local OST data files (Outlook Email Off-Line Data Files) on various workstations in order to recover mail data. A not too old off-line backup of the customer's accounting/MRP systems made it possible to return these essential applications back available to users. Although a lot of work remained to recover completely from the Ryuk attack, the most important systems were restored rapidly:
Throughout the following month critical milestones in the recovery project were made through tight cooperation between Progent engineers and the customer:
Conclusion
A probable business catastrophe was averted through the efforts of results-oriented professionals, a broad range of knowledge, and tight teamwork. Although in post mortem the ransomware penetration detailed here would have been identified and blocked with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and file restoration.
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Madison
For ransomware system recovery consulting in the Madison metro area, call Progent at