Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for organizations vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as more as yet unnamed malware, not only perform encryption of on-line files but also infect any available system backups. Data synchronized to off-premises disaster recovery sites can also be encrypted. In a vulnerable system, this can render any restore operations useless and effectively knocks the network back to zero.
Getting back online applications and data following a crypto-ransomware outage becomes a race against the clock as the targeted organization fights to contain, cleanup the crypto-ransomware, and resume enterprise-critical operations. Because ransomware requires time to spread across a network, attacks are frequently sprung at night, when penetrations tend to take more time to identify. This compounds the difficulty of promptly marshalling and coordinating a qualified response team.
Progent provides an assortment of solutions for securing Morgan Hill enterprises from ransomware events. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and disable zero-day malware assaults. Progent also provides the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Restoration Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the keys to unencrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The alternative is to re-install the critical elements of your Information Technology environment. Absent the availability of full information backups, this calls for a wide complement of skill sets, professional team management, and the willingness to work non-stop until the job is finished.
For decades, Progent has made available certified expert Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise gives Progent the skills to quickly ascertain important systems and organize the remaining pieces of your network system following a ransomware penetration and configure them into a functioning network.
Progent's recovery group has best of breed project management systems to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to get critical applications back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A small business engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly using strategies leaked from the U.S. NSA organization. Ryuk goes after specific companies with little or no room for disruption and is one of the most lucrative iterations of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately brought in Progent.
Progent worked together with the client to quickly get our arms around and assign priority to the key applications that had to be restored in order to continue departmental functions:
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery of mission critical applications. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Data Files) on user PCs in order to recover mail messages. A not too old offline backup of the customer's financials/ERP systems made it possible to return these essential programs back on-line. Although major work needed to be completed to recover fully from the Ryuk damage, core systems were returned to operations quickly:
During the next couple of weeks important milestones in the recovery process were achieved through tight collaboration between Progent team members and the customer:
Conclusion
A potential business-ending catastrophe was dodged due to top-tier experts, a wide range of technical expertise, and tight teamwork. Although in retrospect the crypto-ransomware penetration described here should have been blocked with modern cyber security technology and best practices, team education, and properly executed incident response procedures for data protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, mitigation, and data restoration.
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Morgan Hill
For ransomware system recovery consulting services in the Morgan Hill area, phone Progent at