Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses of all sizes vulnerable to an attack. Versions of crypto-ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as frequent unnamed newcomers, not only encrypt online files but also infect all configured system protection mechanisms. Data synched to cloud environments can also be encrypted. In a poorly architected environment, it can render any recovery hopeless and basically knocks the datacenter back to square one.
Getting back programs and information after a crypto-ransomware event becomes a race against time as the targeted business tries its best to stop lateral movement and cleanup the virus and to restore mission-critical activity. Since crypto-ransomware takes time to move laterally, penetrations are frequently sprung during weekends and nights, when penetrations typically take more time to recognize. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.
Progent makes available an assortment of solutions for securing Norfolk organizations from ransomware attacks. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based threat protection to identify and quarantine day-zero malware assaults. Progent in addition provides the services of veteran crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the codes to decipher all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to piece back together the vital components of your Information Technology environment. Without access to full data backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is done.
For two decades, Progent has offered expert IT services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the capability to efficiently understand critical systems and organize the remaining parts of your IT environment following a ransomware attack and rebuild them into a functioning system.
Progent's security group has top notch project management applications to coordinate the complex restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to get critical services back on-line as fast as possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their organization was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is one of the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end made the decision to use Progent.
Progent worked with the client to quickly assess and prioritize the key applications that needed to be recovered to make it possible to restart business operations:
Within two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed setup and storage recovery on mission critical applications. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Data Files) on team workstations to recover email data. A not too old offline backup of the businesses accounting software made it possible to recover these required applications back online. Although significant work needed to be completed to recover completely from the Ryuk damage, essential services were restored rapidly:
Throughout the following few weeks key milestones in the recovery process were achieved in tight cooperation between Progent team members and the customer:
Conclusion
A probable business-killing disaster was avoided with top-tier professionals, a wide spectrum of knowledge, and tight collaboration. Although in hindsight the ransomware virus penetration described here should have been identified and blocked with advanced security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out security procedures for information protection and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and file recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Norfolk
For ransomware recovery expertise in the Norfolk area, phone Progent at