Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations unprepared for an assault. Versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate all available system backups. Data replicated to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automated restore operations hopeless and basically sets the entire system back to square one.
Getting back on-line programs and data after a ransomware outage becomes a race against the clock as the targeted business fights to contain the damage and clear the crypto-ransomware and to restore business-critical operations. Because crypto-ransomware requires time to spread, attacks are often sprung on weekends and holidays, when successful attacks typically take more time to identify. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.
Progent makes available a range of support services for securing Des Moines organizations from ransomware attacks. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to identify and quarantine zero-day malware attacks. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a compromised network as quickly as possible.
Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The other path is to setup from scratch the critical components of your IT environment. Absent access to essential information backups, this calls for a broad range of IT skills, top notch project management, and the capability to work non-stop until the task is over.
For twenty years, Progent has made available professional Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise provides Progent the skills to efficiently identify critical systems and organize the surviving pieces of your Information Technology environment following a ransomware attack and rebuild them into an operational network.
Progent's ransomware group utilizes best of breed project management applications to orchestrate the complex recovery process. Progent understands the importance of working quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to put critical systems back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Virus Response
A business escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, possibly using approaches leaked from America's National Security Agency. Ryuk targets specific organizations with little or no room for operational disruption and is among the most profitable examples of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.
Progent worked hand in hand the client to rapidly determine and prioritize the most important areas that needed to be restored in order to restart departmental functions:
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of key systems. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail messages. A recent offline backup of the client's accounting systems made it possible to recover these vital applications back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core services were recovered quickly:
Throughout the next few weeks key milestones in the recovery project were made through close cooperation between Progent team members and the customer:
Conclusion
A potential business-ending catastrophe was evaded by dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus incident described here should have been identified and prevented with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems restoration.
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Des Moines
For ransomware system recovery expertise in the Des Moines metro area, call Progent at