Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an existential danger for organizations unprepared for an assault. Different versions of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with daily unnamed newcomers, not only encrypt online information but also infiltrate most accessible system backups. Files synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, it can make automatic restore operations impossible and effectively knocks the entire system back to zero.
Getting back online applications and information after a ransomware attack becomes a race against time as the victim struggles to stop lateral movement, clear the virus, and restore enterprise-critical operations. Because crypto-ransomware requires time to spread across a network, penetrations are often sprung on weekends, when penetrations typically take longer to notice. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent makes available an assortment of solutions for securing Houston organizations from ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to detect and extinguish day-zero modern malware assaults. Progent also provides the services of seasoned crypto-ransomware recovery consultants with the skills and commitment to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the codes to decrypt all your information. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to re-install the critical elements of your Information Technology environment. Absent access to complete data backups, this calls for a wide complement of skills, professional project management, and the capability to work 24x7 until the task is done.
For twenty years, Progent has made available certified expert IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the capability to rapidly determine important systems and re-organize the remaining pieces of your computer network system following a ransomware penetration and configure them into a functioning system.
Progent's security team of experts deploys state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working rapidly and in unison with a customer's management and IT team members to prioritize tasks and to get critical services back on line as soon as possible.
Client Story: A Successful Crypto-Ransomware Attack Restoration
A customer escalated to Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most profitable incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.
Progent worked together with the client to rapidly identify and prioritize the critical systems that had to be restored to make it possible to continue business functions:
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished rebuilding and hard drive recovery of essential systems. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on various workstations and laptops in order to recover mail data. A recent off-line backup of the businesses accounting/MRP software made it possible to restore these vital programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, essential services were recovered quickly:
During the following month critical milestones in the restoration project were accomplished in close collaboration between Progent engineers and the customer:
Conclusion
A likely business disaster was avoided through the efforts of top-tier professionals, a wide array of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been shut down with up-to-date security technology and best practices, staff training, and properly executed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and file restoration.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Houston
For ransomware system recovery consulting services in the Houston area, phone Progent at