Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with more as yet unnamed newcomers, not only perform encryption of online files but also infect many accessible system backups. Files replicated to off-premises disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can render automatic restoration impossible and effectively sets the entire system back to zero.
Restoring applications and information following a ransomware event becomes a race against the clock as the targeted business struggles to contain the damage, cleanup the ransomware, and resume enterprise-critical operations. Since ransomware requires time to move laterally across a targeted network, assaults are often sprung on weekends and holidays, when attacks tend to take longer to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.
Progent makes available a range of services for securing Jacksonville enterprises from ransomware attacks. Among these are team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and disable zero-day malware attacks. Progent in addition can provide the services of seasoned crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised environment as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to unencrypt all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to re-install the vital components of your Information Technology environment. Without the availability of full system backups, this calls for a wide complement of skill sets, professional team management, and the willingness to work continuously until the recovery project is complete.
For decades, Progent has made available certified expert Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to rapidly identify necessary systems and organize the surviving components of your computer network system after a ransomware event and assemble them into an operational network.
Progent's ransomware team of experts utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put key services back on line as soon as humanly possible.
Client Story: A Successful Ransomware Attack Response
A client sought out Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, possibly adopting strategies exposed from the United States National Security Agency. Ryuk targets specific companies with little tolerance for disruption and is among the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.
Progent worked together with the customer to rapidly determine and assign priority to the mission critical applications that needed to be restored to make it possible to resume company functions:
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished reinstallations and storage recovery on the most important applications. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST data files (Outlook Off-Line Folder Files) on user PCs to recover email messages. A not too old off-line backup of the customer's accounting/ERP software made them able to return these essential services back online for users. Although significant work needed to be completed to recover totally from the Ryuk virus, essential systems were recovered quickly:
Over the next couple of weeks key milestones in the recovery process were accomplished through tight collaboration between Progent consultants and the customer:
Conclusion
A likely business-ending catastrophe was averted by dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware incident described here could have been prevented with modern security solutions and security best practices, team training, and appropriate incident response procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, remediation, and file disaster recovery.
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Jacksonville
For ransomware system restoration consulting services in the Jacksonville metro area, call Progent at