Ransomware : Your Crippling IT Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as daily unnamed newcomers, not only encrypt online files but also infect all configured system protection mechanisms. Data synchronized to cloud environments can also be encrypted. In a poorly architected system, this can make any recovery impossible and effectively knocks the network back to square one.
Getting back online services and data after a crypto-ransomware event becomes a race against time as the targeted organization fights to stop lateral movement and clear the crypto-ransomware and to restore mission-critical activity. Since crypto-ransomware requires time to move laterally, assaults are frequently sprung on weekends and holidays, when successful penetrations typically take longer to uncover. This compounds the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent offers an assortment of services for securing Charlotte businesses from ransomware events. Among these are team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to detect and extinguish day-zero malware attacks. Progent in addition provides the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed codes to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to re-install the critical parts of your IT environment. Without the availability of full data backups, this calls for a wide complement of IT skills, well-coordinated team management, and the capability to work 24x7 until the task is done.
For twenty years, Progent has made available expert IT services for businesses throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience gives Progent the capability to quickly ascertain critical systems and consolidate the remaining pieces of your IT environment following a crypto-ransomware penetration and assemble them into a functioning network.
Progent's security team of experts has state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of working rapidly and together with a customer's management and Information Technology staff to prioritize tasks and to get the most important applications back on line as soon as possible.
Customer Story: A Successful Ransomware Intrusion Response
A customer engaged Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, possibly using algorithms exposed from the U.S. NSA organization. Ryuk targets specific companies with little ability to sustain operational disruption and is one of the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has about 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (more than $200K) and hoping for good luck, but in the end brought in Progent.
Progent worked together with the customer to quickly assess and prioritize the critical areas that needed to be restored in order to resume departmental operations:
In less than two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery of mission critical systems. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user desktop computers and laptops to recover mail messages. A not too old offline backup of the client's manufacturing systems made it possible to return these essential services back online. Although major work needed to be completed to recover completely from the Ryuk attack, the most important services were restored rapidly:
During the following few weeks critical milestones in the restoration project were completed in tight cooperation between Progent team members and the customer:
Conclusion
A potential business-ending catastrophe was evaded due to results-oriented experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack described here should have been identified and stopped with modern security technology solutions and best practices, team education, and well designed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Charlotte
For ransomware system restoration consulting services in the Charlotte area, phone Progent at