Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for organizations unprepared for an attack. Versions of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict destruction. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more as yet unnamed newcomers, not only encrypt on-line data but also infect most accessible system backup. Data synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automatic restoration useless and effectively knocks the entire system back to zero.
Getting back services and information after a crypto-ransomware event becomes a race against time as the targeted organization struggles to contain the damage and eradicate the virus and to resume enterprise-critical activity. Due to the fact that ransomware requires time to spread, penetrations are frequently launched at night, when attacks may take more time to identify. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.
Progent offers a range of support services for securing Salem businesses from crypto-ransomware penetrations. These include user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to identify and extinguish day-zero modern malware attacks. Progent also provides the services of veteran ransomware recovery professionals with the talent and commitment to restore a compromised environment as urgently as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the codes to decrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to piece back together the vital elements of your Information Technology environment. Without access to full system backups, this requires a broad complement of skills, top notch team management, and the willingness to work non-stop until the job is complete.
For twenty years, Progent has made available certified expert IT services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience affords Progent the skills to quickly ascertain critical systems and consolidate the remaining parts of your computer network environment following a ransomware attack and assemble them into an operational network.
Progent's security team of experts has top notch project management tools to coordinate the complex recovery process. Progent understands the urgency of acting quickly and in unison with a client's management and IT resources to assign priority to tasks and to put critical services back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A small business contacted Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting strategies leaked from the United States National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most lucrative versions of ransomware malware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has about 500 employees. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end brought in Progent.
Progent worked with the client to quickly assess and assign priority to the essential systems that needed to be addressed in order to restart departmental operations:
In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of critical servers. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Off-Line Folder Files) on user desktop computers and laptops to recover email messages. A not too old off-line backup of the customer's accounting/ERP systems made them able to recover these required programs back available to users. Although significant work needed to be completed to recover totally from the Ryuk attack, essential systems were recovered rapidly:
Throughout the next few weeks critical milestones in the recovery process were achieved through tight cooperation between Progent engineers and the client:
Conclusion
A possible business-ending catastrophe was evaded by dedicated professionals, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware attack described here should have been identified and blocked with current security systems and NIST Cybersecurity Framework best practices, team training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Salem
For ransomware recovery consulting services in the Salem metro area, phone Progent at