Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for organizations vulnerable to an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus additional unnamed newcomers, not only encrypt online critical data but also infiltrate any available system backup. Files synched to cloud environments can also be encrypted. In a poorly architected system, this can make any recovery hopeless and basically knocks the network back to zero.
Restoring applications and information following a crypto-ransomware outage becomes a race against the clock as the victim struggles to stop the spread and cleanup the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware needs time to spread, penetrations are often launched on weekends and holidays, when successful attacks may take longer to discover. This multiplies the difficulty of quickly marshalling and coordinating a qualified mitigation team.
Progent has a variety of help services for protecting Adelaide enterprises from ransomware attacks. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with artificial intelligence technology to quickly detect and suppress day-zero cyber threats. Progent in addition provides the services of expert ransomware recovery engineers with the track record and commitment to re-deploy a compromised network as soon as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will return the needed keys to decipher any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to setup from scratch the essential parts of your IT environment. Absent access to complete system backups, this requires a wide range of skill sets, professional project management, and the willingness to work non-stop until the task is finished.
For two decades, Progent has made available certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience gives Progent the skills to quickly ascertain critical systems and organize the surviving parts of your IT system following a ransomware penetration and rebuild them into an operational system.
Progent's recovery team of experts has top notch project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put key applications back online as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A small business escalated to Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state cybercriminals, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little room for operational disruption and is one of the most lucrative iterations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has about 500 workers. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but in the end brought in Progent.
"I cannot speak enough in regards to the care Progent provided us throughout the most critical time of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group afforded us. That you could get our messaging and critical applications back faster than one week was incredible. Each staff member I spoke to or communicated with at Progent was absolutely committed on getting us restored and was working 24/7 to bail us out."
Progent worked together with the customer to rapidly assess and prioritize the most important areas that needed to be addressed to make it possible to resume company functions:
To get going, Progent adhered to ransomware event response industry best practices by halting the spread and clearing up compromised systems. Progent then started the work of restoring Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the client's financials and MRP software utilized SQL Server, which requires Active Directory for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then initiated setup and storage recovery on critical systems. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Data Files) on team PCs in order to recover email data. A recent offline backup of the client's accounting systems made them able to restore these required applications back online. Although major work was left to recover totally from the Ryuk event, essential systems were returned to operations rapidly:
"For the most part, the production line operation was never shut down and we did not miss any customer orders."
During the following month critical milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Server containing more than 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 firewall was brought online.
- 90% of the user desktops and notebooks were functioning as before the incident.
"A lot of what happened during the initial response is nearly entirely a blur for me, but my team will not forget the countless hours each and every one of you accomplished to help get our company back. I have entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A likely business-killing catastrophe was averted by dedicated experts, a broad range of IT skills, and close collaboration. Although in retrospect the ransomware virus incident described here should have been identified and prevented with advanced cyber security systems and security best practices, team education, and well thought out security procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, removal, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we made it past the initial push. Everyone did an amazing effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Adelaide
For ransomware cleanup services in the Adelaide area, phone Progent at 800-462-8800 or go to Contact Progent.