Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for organizations vulnerable to an assault. Different iterations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional unnamed newcomers, not only perform encryption of on-line data but also infect any available system backups. Data synched to off-premises disaster recovery sites can also be encrypted. In a vulnerable system, it can make automatic recovery impossible and basically knocks the datacenter back to zero.
Retrieving applications and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted business fights to stop the spread, cleanup the crypto-ransomware, and resume business-critical activity. Since ransomware takes time to spread throughout a network, assaults are often launched during nights and weekends, when attacks in many cases take longer to recognize. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent makes available an assortment of solutions for securing Charlotte enterprises from ransomware events. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to identify and suppress day-zero modern malware assaults. Progent also provides the services of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as quickly as possible.
Progent's Ransomware Recovery Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the keys to decipher any or all of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of full information backups, this requires a broad range of skill sets, well-coordinated team management, and the willingness to work 24x7 until the job is over.
For twenty years, Progent has provided professional IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the capability to knowledgably ascertain critical systems and organize the surviving pieces of your computer network system after a ransomware penetration and rebuild them into an operational system.
Progent's recovery group uses powerful project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in concert with a client's management and IT resources to assign priority to tasks and to get key systems back online as soon as possible.
Client Case Study: A Successful Ransomware Virus Recovery
A customer escalated to Progent after their organization was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, suspected of using strategies leaked from America's NSA organization. Ryuk goes after specific companies with little ability to sustain operational disruption and is among the most profitable incarnations of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with about 500 staff members. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the attack and were encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
Progent worked with the customer to rapidly understand and prioritize the most important applications that needed to be restored in order to resume company operations:
Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then initiated rebuilding and hard drive recovery on mission critical applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find local OST files (Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail information. A not too old offline backup of the customer's accounting software made it possible to recover these required programs back online. Although major work needed to be completed to recover fully from the Ryuk virus, core services were recovered rapidly:
Throughout the following couple of weeks important milestones in the restoration project were completed in close collaboration between Progent team members and the client:
Conclusion
A probable business extinction catastrophe was avoided through the efforts of top-tier professionals, a wide range of technical expertise, and close teamwork. Although in post mortem the ransomware virus attack detailed here could have been disabled with current cyber security technology solutions and recognized best practices, staff training, and well thought out incident response procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and data recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Charlotte
For ransomware cleanup consulting in the Charlotte area, call Progent at