Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as more unnamed malware, not only perform encryption of on-line data but also infect most accessible system protection mechanisms. Files replicated to the cloud can also be corrupted. In a vulnerable environment, this can make automated restoration impossible and basically sets the network back to square one.
Retrieving services and information after a ransomware event becomes a sprint against the clock as the targeted organization fights to contain, remove the virus, and resume enterprise-critical activity. Since ransomware needs time to replicate throughout a targeted network, attacks are often launched on weekends, when attacks in many cases take longer to identify. This multiplies the difficulty of rapidly assembling and coordinating a knowledgeable mitigation team.
Progent makes available a variety of support services for protecting Mesa organizations from ransomware attacks. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat defense to discover and extinguish zero-day modern malware assaults. Progent also provides the services of veteran crypto-ransomware recovery engineers with the skills and commitment to restore a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware invasion, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the keys to decipher any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The other path is to re-install the vital parts of your Information Technology environment. Absent the availability of complete information backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work non-stop until the job is finished.
For two decades, Progent has made available professional Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience gives Progent the skills to rapidly understand critical systems and consolidate the remaining pieces of your computer network environment following a crypto-ransomware penetration and assemble them into an operational system.
Progent's recovery team of experts uses powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in concert with a customer's management and Information Technology team members to prioritize tasks and to put the most important applications back on line as fast as possible.
Customer Story: A Successful Ransomware Virus Recovery
A client engaged Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, suspected of using strategies exposed from the United States NSA organization. Ryuk seeks specific companies with little tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were damaged. The client considered paying the ransom demand (exceeding $200K) and praying for good luck, but in the end called Progent.
Progent worked together with the customer to quickly determine and prioritize the mission critical systems that had to be addressed in order to restart business operations:
In less than 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery on mission critical systems. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Off-Line Data Files) on user workstations to recover email information. A not too old off-line backup of the customer's financials/ERP software made them able to return these vital services back available to users. Although significant work needed to be completed to recover fully from the Ryuk damage, the most important services were recovered rapidly:
During the next month key milestones in the recovery project were made through tight cooperation between Progent team members and the customer:
Conclusion
A likely enterprise-killing disaster was averted with results-oriented experts, a wide array of IT skills, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here should have been shut down with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and data disaster recovery.
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Mesa
For ransomware system recovery consulting in the Mesa metro area, call Progent at