Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, along with additional as yet unnamed viruses, not only do encryption of online data but also infiltrate any accessible system protection mechanisms. Data synchronized to cloud environments can also be ransomed. In a poorly designed system, this can render automated recovery impossible and basically sets the network back to zero.
Retrieving applications and data after a ransomware attack becomes a race against time as the targeted organization tries its best to stop the spread and eradicate the ransomware and to resume enterprise-critical activity. Because crypto-ransomware requires time to replicate, penetrations are frequently launched during nights and weekends, when successful attacks are likely to take more time to identify. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.
Progent has a range of services for securing Albany businesses from crypto-ransomware events. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with AI technology to rapidly detect and extinguish day-zero cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and perseverance to restore a compromised network as soon as possible.
Progent's Ransomware Recovery Help
After a ransomware event, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the needed keys to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the key components of your Information Technology environment. Absent access to full data backups, this requires a wide range of skills, top notch project management, and the capability to work continuously until the recovery project is done.
For twenty years, Progent has offered professional Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the capability to rapidly ascertain critical systems and organize the surviving components of your Information Technology environment following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's recovery group deploys powerful project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to get critical systems back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk goes after specific companies with little or no tolerance for operational disruption and is among the most profitable examples of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and hoping for the best, but ultimately reached out to Progent.
"I canít speak enough in regards to the support Progent provided us during the most fearful period of (our) companyís existence. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. That you were able to get our e-mail and important servers back on-line quicker than one week was something I thought impossible. Each expert I got help from or messaged at Progent was hell bent on getting our system up and was working day and night on our behalf."
Progent worked hand in hand the client to rapidly identify and assign priority to the mission critical systems that had to be recovered in order to restart departmental functions:
To start, Progent followed Anti-virus event response best practices by stopping lateral movement and removing active viruses. Progent then started the task of restoring Active Directory, the core of enterprise networks built on Microsoft technology. Exchange messaging will not work without AD, and the businessesí financials and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for access to the data.
- Microsoft Active Directory
- Microsoft Exchange
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery of essential servers. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Off-Line Data Files) on team PCs in order to recover email information. A not too old off-line backup of the customerís accounting/ERP software made them able to restore these essential programs back on-line. Although a lot of work remained to recover completely from the Ryuk event, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer deliverables."
Throughout the next couple of weeks critical milestones in the restoration process were completed through tight collaboration between Progent consultants and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto 850 security appliance was installed and configured.
- Ninety percent of the desktops and laptops were fully operational.
"A lot of what happened in the early hours is nearly entirely a haze for me, but I will not soon forget the care each of your team accomplished to help get our company back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A probable business disaster was dodged through the efforts of results-oriented professionals, a wide range of technical expertise, and tight collaboration. Although in post mortem the ransomware incident described here could have been prevented with modern cyber security systems and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thanks very much for letting me get rested after we made it through the first week. Everyone did an amazing effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist