Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level danger for organizations unprepared for an assault. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus additional as yet unnamed viruses, not only encrypt online information but also infect many configured system backups. Data synchronized to cloud environments can also be rendered useless. In a poorly designed environment, this can render any recovery hopeless and basically sets the entire system back to zero.
Restoring services and information following a ransomware attack becomes a sprint against time as the targeted organization tries its best to stop the spread and remove the ransomware and to resume business-critical activity. Since ransomware requires time to move laterally, attacks are frequently sprung on weekends and holidays, when attacks may take longer to identify. This compounds the difficulty of quickly marshalling and coordinating an experienced mitigation team.
Progent provides a variety of support services for protecting Waltham businesses from ransomware attacks. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to discover and suppress day-zero malware attacks. Progent also can provide the services of expert ransomware recovery consultants with the talent and commitment to restore a breached network as soon as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the keys to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The alternative is to piece back together the critical elements of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of IT skills, professional project management, and the willingness to work 24x7 until the task is over.
For twenty years, Progent has provided certified expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand critical systems and consolidate the surviving parts of your IT environment following a ransomware event and rebuild them into an operational network.
Progent's recovery group uses best of breed project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get critical services back online as soon as possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A business hired Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean government sponsored hackers, possibly adopting technology exposed from America's National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is one of the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for the best, but in the end engaged Progent.
Progent worked together with the customer to quickly assess and prioritize the mission critical areas that had to be addressed in order to continue business functions:
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery of essential applications. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Off-Line Folder Files) on team workstations to recover email messages. A recent offline backup of the client's manufacturing software made them able to recover these vital applications back servicing users. Although major work still had to be done to recover fully from the Ryuk attack, the most important services were restored quickly:
Throughout the following few weeks critical milestones in the recovery process were completed in close cooperation between Progent engineers and the customer:
Conclusion
A probable business extinction catastrophe was avoided through the efforts of top-tier experts, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus penetration described here would have been disabled with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate security procedures for information backup and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Waltham
For ransomware system restoration expertise in the Waltham area, call Progent at