Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus daily as yet unnamed viruses, not only encrypt online critical data but also infiltrate most accessible system backup. Files synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can make any restoration useless and effectively knocks the datacenter back to zero.
Getting back on-line applications and information after a ransomware outage becomes a sprint against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to restore mission-critical operations. Since crypto-ransomware requires time to move laterally, penetrations are usually launched at night, when successful penetrations in many cases take longer to detect. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified response team.
Progent offers a range of solutions for protecting Augusta-Richmond County businesses from crypto-ransomware attacks. These include team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with machine learning technology to rapidly identify and disable zero-day threats. Progent also provides the assistance of veteran ransomware recovery professionals with the skills and commitment to re-deploy a breached environment as urgently as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The fallback is to setup from scratch the vital components of your Information Technology environment. Absent the availability of essential information backups, this requires a broad range of skills, professional team management, and the ability to work non-stop until the job is over.
For two decades, Progent has offered expert Information Technology services for companies across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the skills to efficiently determine critical systems and organize the surviving pieces of your IT environment following a crypto-ransomware event and assemble them into an operational network.
Progent's recovery group utilizes top notch project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to get essential systems back on line as soon as possible.
Customer Story: A Successful Ransomware Intrusion Response
A client contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, possibly adopting approaches leaked from the United States National Security Agency. Ryuk goes after specific companies with little room for operational disruption and is among the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.
Progent worked with the client to rapidly identify and prioritize the mission critical areas that needed to be addressed in order to continue business operations:
Within 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on mission critical applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover email messages. A not too old off-line backup of the customer’s accounting systems made them able to return these required programs back available to users. Although a lot of work remained to recover fully from the Ryuk damage, core systems were restored rapidly:
Over the following month important milestones in the recovery process were completed in close collaboration between Progent engineers and the client:
Conclusion
A likely business-killing catastrophe was dodged through the efforts of hard-working experts, a wide spectrum of knowledge, and close teamwork. Although in hindsight the ransomware attack detailed here could have been blocked with modern security technology solutions and recognized best practices, user and IT administrator education, and well thought out incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data restoration.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Augusta-Richmond County
For ransomware system restoration services in the Augusta-Richmond County metro area, call Progent at