Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for organizations unprepared for an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, as well as more unnamed malware, not only do encryption of on-line information but also infiltrate many accessible system backups. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can make automatic recovery hopeless and basically knocks the network back to zero.
Getting back online services and data following a ransomware event becomes a sprint against the clock as the victim struggles to stop the spread and cleanup the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are usually launched during weekends and nights, when attacks may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a capable response team.
Progent offers an assortment of solutions for protecting Adelaide enterprises from ransomware events. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with machine learning capabilities to rapidly identify and quarantine day-zero cyber threats. Progent in addition can provide the assistance of experienced crypto-ransomware recovery professionals with the talent and perseverance to restore a breached network as urgently as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decipher all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the essential components of your Information Technology environment. Absent access to essential system backups, this requires a broad range of skills, top notch team management, and the willingness to work non-stop until the job is complete.
For two decades, Progent has offered certified expert IT services for businesses across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to quickly ascertain important systems and re-organize the remaining pieces of your computer network system following a crypto-ransomware attack and assemble them into an operational network.
Progent's security team of experts deploys best of breed project management tools to coordinate the complicated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put the most important applications back online as soon as possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, possibly using algorithms exposed from Americaís National Security Agency. Ryuk seeks specific businesses with little or no room for operational disruption and is one of the most lucrative instances of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.
"I cannot tell you enough about the help Progent provided us throughout the most stressful period of (our) businesses life. We may have had to pay the hackers behind this attack if not for the confidence the Progent team gave us. That you were able to get our e-mail and important servers back into operation faster than seven days was earth shattering. Each person I got help from or communicated with at Progent was absolutely committed on getting our system up and was working day and night on our behalf."
Progent worked with the client to rapidly determine and assign priority to the most important areas that needed to be addressed to make it possible to resume company operations:
To begin, Progent followed Anti-virus penetration response best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the client's accounting and MRP system used SQL Server, which needs Active Directory for security authorization to the database.
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on the most important applications. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Data Files) on user workstations and laptops to recover email information. A recent off-line backup of the client's financials/MRP systems made them able to recover these required applications back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, essential systems were restored quickly:
"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."
During the following couple of weeks key milestones in the recovery project were completed in close cooperation between Progent consultants and the customer:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- 90% of the user desktops were being used by staff.
"A lot of what occurred in the initial days is nearly entirely a haze for me, but our team will not forget the urgency each and every one of your team accomplished to give us our company back. I have trusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was a life saver."
A possible business-killing catastrophe was averted by results-oriented professionals, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration detailed here should have been identified and stopped with modern security technology solutions and recognized best practices, team training, and appropriate security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for allowing me to get some sleep after we got through the initial fire. All of you did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist