Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict destruction. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus daily unnamed newcomers, not only do encryption of online data but also infect many configured system protection. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected system, it can make automatic recovery impossible and basically sets the network back to square one.
Retrieving applications and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop the spread and clear the virus and to restore business-critical operations. Since ransomware needs time to replicate, assaults are frequently launched during weekends and nights, when attacks may take more time to identify. This compounds the difficulty of promptly marshalling and organizing a capable response team.
Progent has an assortment of solutions for protecting Albany enterprises from crypto-ransomware attacks. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning capabilities to automatically discover and extinguish zero-day threats. Progent in addition provides the services of seasoned ransomware recovery engineers with the skills and perseverance to restore a breached environment as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed codes to decipher any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to re-install the vital components of your Information Technology environment. Absent access to essential system backups, this requires a wide range of IT skills, professional project management, and the willingness to work continuously until the job is completed.
For twenty years, Progent has made available expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably determine important systems and re-organize the surviving pieces of your computer network system following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security team of experts uses top notch project management tools to coordinate the complicated recovery process. Progent knows the importance of acting quickly and together with a customerís management and IT staff to assign priority to tasks and to put critical services back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Attack Response
A small business contacted Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state hackers, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has around 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200,000) and praying for good luck, but in the end engaged Progent.
"I cannot speak enough about the help Progent gave us during the most fearful period of (our) companyís survival. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent group afforded us. That you were able to get our e-mail and important applications back sooner than a week was beyond my wildest dreams. Every single person I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working non-stop to bail us out."
Progent worked together with the customer to rapidly assess and assign priority to the key elements that had to be addressed in order to resume departmental functions:
To begin, Progent followed ransomware penetration mitigation best practices by isolating and disinfecting systems. Progent then began the process of bringing back online Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL, which needs Windows AD for security authorization to the data.
- Windows Active Directory
- Exchange Server
- MRP System
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery on key applications. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops in order to recover email data. A recent offline backup of the client's accounting systems made them able to return these essential services back online for users. Although significant work remained to recover completely from the Ryuk attack, essential systems were returned to operations rapidly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer orders."
Over the next few weeks critical milestones in the restoration project were completed through tight collaboration between Progent engineers and the customer:
- Self-hosted web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 security appliance was installed and configured.
- Most of the user desktops and notebooks were back into operation.
"A huge amount of what happened those first few days is mostly a haze for me, but our team will not soon forget the urgency each and every one of your team accomplished to give us our company back. Iíve been working with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This event was a life saver."
A probable company-ending disaster was avoided with dedicated experts, a wide range of knowledge, and tight teamwork. Although in post mortem the ransomware attack detailed here could have been disabled with advanced cyber security solutions and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for allowing me to get rested after we made it over the initial push. All of you did an amazing job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist