Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for organizations unprepared for an assault. Different iterations of crypto-ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily unnamed malware, not only perform encryption of on-line data but also infiltrate most configured system protection. Data synchronized to off-premises disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can make automatic restoration useless and effectively knocks the network back to zero.
Retrieving services and information after a ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage, cleanup the crypto-ransomware, and restore enterprise-critical operations. Since crypto-ransomware needs time to replicate across a targeted network, attacks are usually sprung during weekends and nights, when penetrations tend to take more time to identify. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent makes available a range of support services for protecting Centennial enterprises from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat defense to discover and extinguish day-zero modern malware assaults. Progent also offers the services of experienced crypto-ransomware recovery engineers with the talent and commitment to reconstruct a compromised network as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, sending the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The other path is to re-install the vital components of your IT environment. Without access to complete information backups, this calls for a wide complement of IT skills, professional project management, and the ability to work non-stop until the job is complete.
For two decades, Progent has provided professional Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience provides Progent the skills to efficiently identify necessary systems and consolidate the remaining parts of your network system after a ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts deploys powerful project management systems to coordinate the complex recovery process. Progent understands the importance of acting rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to get key services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A business contacted Progent after their company was taken over by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state hackers, possibly using techniques leaked from the U.S. NSA organization. Ryuk seeks specific organizations with limited tolerance for operational disruption and is one of the most lucrative instances of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 workers. The Ryuk event had brought down all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end brought in Progent.
Progent worked with the client to rapidly identify and prioritize the essential systems that had to be recovered to make it possible to continue business functions:
In less than 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery on key applications. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Offline Folder Files) on team workstations and laptops to recover mail messages. A not too old off-line backup of the client's accounting software made it possible to recover these vital programs back available to users. Although major work was left to recover fully from the Ryuk damage, the most important systems were restored rapidly:
Over the next few weeks important milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the client:
Conclusion
A possible enterprise-killing catastrophe was evaded through the efforts of hard-working experts, a broad spectrum of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware penetration detailed here would have been identified and blocked with up-to-date cyber security technology and best practices, staff education, and well thought out security procedures for backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file restoration.
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Centennial
For ransomware recovery expertise in the Centennial metro area, call Progent at