Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses vulnerable to an assault. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional unnamed viruses, not only encrypt online data but also infiltrate most configured system protection mechanisms. Information synchronized to the cloud can also be encrypted. In a poorly designed environment, this can make automated restore operations useless and basically knocks the network back to zero.
Getting back programs and data following a ransomware intrusion becomes a sprint against the clock as the victim fights to contain and clear the virus and to resume enterprise-critical activity. Since ransomware requires time to replicate, assaults are often launched on weekends and holidays, when attacks typically take more time to detect. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.
Progent provides an assortment of services for protecting Albany businesses from crypto-ransomware penetrations. Among these are team education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence technology to quickly identify and quarantine zero-day threats. Progent also can provide the services of expert crypto-ransomware recovery professionals with the talent and perseverance to rebuild a breached system as urgently as possible.
Progent's Ransomware Restoration Services
Following a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the vital parts of your IT environment. Without access to complete information backups, this calls for a wide range of skill sets, well-coordinated team management, and the capability to work 24x7 until the recovery project is done.
For decades, Progent has offered certified expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably identify necessary systems and organize the surviving parts of your computer network environment after a ransomware penetration and assemble them into a functioning system.
Progent's recovery group utilizes state-of-the-art project management systems to coordinate the complex restoration process. Progent understands the urgency of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to get the most important services back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Virus Restoration
A business contacted Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting strategies leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago with around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's information backups had been online at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and praying for good luck, but ultimately reached out to Progent.
"I cannot thank you enough in regards to the support Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you could get our messaging and key servers back sooner than one week was something I thought impossible. Each consultant I got help from or communicated with at Progent was totally committed on getting us working again and was working day and night to bail us out."
Progent worked together with the customer to quickly understand and prioritize the most important systems that needed to be recovered in order to restart company functions:
To get going, Progent followed ransomware penetration mitigation best practices by stopping the spread and removing active viruses. Progent then began the task of rebuilding Microsoft AD, the heart of enterprise systems built upon Microsoft Windows technology. Exchange email will not function without AD, and the client's financials and MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the databases.
- Active Directory
- Electronic Messaging
Within 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then performed rebuilding and hard drive recovery on needed applications. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations and laptops in order to recover mail messages. A not too old offline backup of the customerís manufacturing software made them able to recover these vital applications back online for users. Although a lot of work remained to recover completely from the Ryuk event, the most important services were returned to operations quickly:
"For the most part, the assembly line operation never missed a beat and we delivered all customer shipments."
During the following couple of weeks critical milestones in the restoration process were accomplished in close cooperation between Progent engineers and the client:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server with over 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely recovered.
- A new Palo Alto 850 firewall was deployed.
- Ninety percent of the user workstations were fully operational.
"A lot of what went on in the initial days is mostly a haze for me, but we will not soon forget the commitment all of the team accomplished to help get our company back. I have trusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A probable company-ending catastrophe was avoided due to dedicated experts, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been identified and prevented with advanced cyber security technology and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for data protection and applying software patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for making it so I could get rested after we got through the first week. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist