Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses vulnerable to an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed newcomers, not only perform encryption of on-line files but also infiltrate most available system backup. Data synched to off-premises disaster recovery sites can also be encrypted. In a poorly designed system, it can make automatic restoration hopeless and effectively sets the entire system back to square one.
Retrieving applications and information following a ransomware outage becomes a sprint against time as the targeted business tries its best to stop lateral movement, remove the ransomware, and resume enterprise-critical operations. Because ransomware takes time to move laterally across a network, penetrations are often launched on weekends and holidays, when attacks are likely to take longer to detect. This multiplies the difficulty of rapidly marshalling and organizing a qualified mitigation team.
Progent offers a variety of services for protecting businesses from crypto-ransomware events. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to detect and disable day-zero modern malware assaults. Progent also offers the assistance of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the needed keys to unencrypt any of your information. Kaspersky determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The other path is to re-install the vital parts of your IT environment. Absent the availability of essential system backups, this requires a wide range of skill sets, well-coordinated project management, and the capability to work 24x7 until the job is completed.
For twenty years, Progent has made available professional Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience affords Progent the skills to efficiently identify important systems and consolidate the surviving pieces of your network system after a ransomware event and rebuild them into a functioning system.
Progent's recovery team deploys powerful project management tools to coordinate the sophisticated recovery process. Progent understands the importance of working swiftly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to get critical systems back on line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A client sought out Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state cybercriminals, possibly adopting technology leaked from America's NSA organization. Ryuk targets specific businesses with limited room for disruption and is among the most lucrative versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has about 500 workers. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom (more than $200K) and hoping for the best, but in the end brought in Progent.
Progent worked hand in hand the customer to rapidly identify and prioritize the critical applications that had to be restored in order to restart departmental operations:
In less than 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of key servers. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate local OST files (Microsoft Outlook Offline Folder Files) on staff PCs to recover mail messages. A recent offline backup of the client's accounting/ERP systems made it possible to return these vital programs back on-line. Although a lot of work still had to be done to recover completely from the Ryuk virus, core services were restored rapidly:
Throughout the following few weeks important milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the customer:
Conclusion
A possible business extinction disaster was averted through the efforts of results-oriented professionals, a wide range of technical expertise, and close collaboration. Although in hindsight the ransomware incident detailed here could have been blocked with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for information backup and applying software patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, removal, and file restoration.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Removal Expertise
For 24-Hour crypto-ransomware removal help, reach out to Progent at