Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential threat for organizations vulnerable to an attack. Multiple generations of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus daily unnamed malware, not only encrypt on-line data but also infiltrate all configured system backup. Files synchronized to the cloud can also be corrupted. In a vulnerable system, this can render automatic restoration hopeless and effectively sets the network back to zero.
Recovering programs and data after a ransomware attack becomes a sprint against time as the targeted organization tries its best to contain the damage, remove the ransomware, and resume business-critical operations. Due to the fact that crypto-ransomware needs time to replicate throughout a targeted network, assaults are often sprung during nights and weekends, when penetrations are likely to take longer to discover. This multiplies the difficulty of quickly assembling and coordinating a qualified response team.
Progent makes available a variety of support services for securing Portland enterprises from ransomware attacks. Among these are team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and quarantine zero-day modern malware attacks. Progent also provides the assistance of seasoned ransomware recovery professionals with the track record and commitment to reconstruct a breached network as urgently as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed keys to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can reach millions. The alternative is to piece back together the essential parts of your IT environment. Absent access to complete data backups, this calls for a wide complement of IT skills, top notch project management, and the capability to work 24x7 until the job is over.
For twenty years, Progent has offered professional Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience affords Progent the ability to quickly identify important systems and re-organize the surviving pieces of your IT system after a ransomware event and configure them into an operational network.
Progent's recovery team of experts uses state-of-the-art project management applications to orchestrate the complex recovery process. Progent knows the importance of working quickly and together with a customer's management and IT team members to assign priority to tasks and to get the most important applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, suspected of adopting technology leaked from America's National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is one of the most lucrative instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.
Progent worked hand in hand the client to rapidly determine and assign priority to the essential areas that needed to be addressed in order to continue business operations:
In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on key applications. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Offline Folder Files) on user desktop computers in order to recover mail information. A recent offline backup of the businesses accounting systems made them able to return these vital programs back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, critical systems were restored quickly:
Over the next few weeks critical milestones in the restoration process were made in close cooperation between Progent engineers and the customer:
Conclusion
A likely enterprise-killing catastrophe was dodged due to hard-working professionals, a broad spectrum of knowledge, and close teamwork. Although in post mortem the crypto-ransomware virus incident detailed here could have been blocked with current cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and data recovery.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Portland
For ransomware recovery consulting services in the Portland area, call Progent at