Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations unprepared for an attack. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more as yet unnamed viruses, not only encrypt online files but also infiltrate many configured system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, it can render automated restore operations useless and effectively knocks the network back to square one.
Recovering programs and information after a crypto-ransomware event becomes a sprint against the clock as the targeted business struggles to contain and cleanup the ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, attacks are usually launched on weekends and holidays, when attacks in many cases take longer to discover. This multiplies the difficulty of promptly mobilizing and coordinating a qualified mitigation team.
Progent has an assortment of help services for protecting Dallas organizations from ransomware penetrations. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and extinguish zero-day malware attacks. Progent also can provide the services of expert ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the needed keys to decrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to piece back together the critical elements of your IT environment. Without the availability of essential system backups, this calls for a wide range of IT skills, professional team management, and the willingness to work non-stop until the job is done.
For decades, Progent has provided professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to knowledgably identify critical systems and consolidate the surviving pieces of your computer network environment following a crypto-ransomware event and assemble them into an operational system.
Progent's ransomware team deploys best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and together with a client's management and IT team members to assign priority to tasks and to get essential applications back online as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Restoration
A customer escalated to Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, possibly using techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most profitable incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
Progent worked together with the customer to rapidly assess and prioritize the essential systems that had to be addressed to make it possible to continue departmental operations:
Within 48 hours, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then assisted with setup and storage recovery of the most important servers. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on various workstations and laptops to recover email messages. A not too old off-line backup of the client's accounting/ERP systems made them able to restore these essential services back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk virus, the most important services were restored quickly:
Over the following couple of weeks critical milestones in the recovery process were achieved through close cooperation between Progent engineers and the client:
Conclusion
A probable business catastrophe was avoided due to hard-working experts, a broad range of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware incident described here would have been prevented with modern cyber security technology solutions and ISO/IEC 27001 best practices, team education, and well designed security procedures for backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and information systems restoration.
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Dallas
For ransomware system recovery services in the Dallas area, call Progent at