Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses unprepared for an attack. Versions of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus more as yet unnamed viruses, not only do encryption of on-line data but also infect many accessible system backup. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, this can render automatic restoration hopeless and basically sets the datacenter back to square one.
Getting back on-line programs and information following a ransomware attack becomes a sprint against time as the victim tries its best to contain the damage and clear the ransomware and to resume enterprise-critical activity. Since crypto-ransomware takes time to spread, attacks are often sprung on weekends, when successful penetrations are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent makes available a range of support services for protecting Allentown businesses from ransomware penetrations. These include team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security appliances with AI capabilities to intelligently detect and suppress zero-day cyber attacks. Progent in addition can provide the assistance of veteran crypto-ransomware recovery engineers with the track record and commitment to restore a compromised environment as quickly as possible.
Progent's Ransomware Recovery Support Services
Following a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to decipher all your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of complete data backups, this calls for a wide complement of skills, top notch project management, and the willingness to work continuously until the task is over.
For two decades, Progent has offered expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience provides Progent the ability to efficiently ascertain critical systems and organize the remaining pieces of your network environment following a crypto-ransomware penetration and rebuild them into an operational network.
Progent's security group has state-of-the-art project management tools to coordinate the complicated recovery process. Progent knows the importance of acting quickly and together with a client's management and IT team members to prioritize tasks and to get critical applications back on line as fast as humanly possible.
Business Case Study: A Successful Ransomware Attack Recovery
A business engaged Progent after their network system was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting approaches exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little or no ability to sustain operational disruption and is among the most lucrative versions of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately utilized Progent.
"I canít say enough about the support Progent provided us during the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our e-mail and key servers back quicker than 1 week was earth shattering. Each person I interacted with or texted at Progent was hell bent on getting us back on-line and was working non-stop to bail us out."
Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical services that had to be addressed in order to restart departmental operations:
To get going, Progent followed Anti-virus event response industry best practices by isolating and performing virus removal steps. Progent then started the work of recovering Windows Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange email will not work without Windows AD, and the client's MRP applications leveraged Microsoft SQL, which needs Active Directory for access to the information.
- Active Directory
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery of needed servers. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Offline Data Files) on staff PCs and laptops to recover mail messages. A not too old offline backup of the customerís financials/MRP systems made them able to recover these essential applications back online. Although a large amount of work remained to recover fully from the Ryuk attack, core systems were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we made all customer sales."
Throughout the next month critical milestones in the recovery project were made in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the desktop computers were back into operation.
"Much of what occurred those first few days is nearly entirely a haze for me, but we will not forget the dedication all of the team put in to help get our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."
A likely business catastrophe was evaded due to results-oriented experts, a wide range of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here should have been blocked with current cyber security technology and NIST Cybersecurity Framework best practices, team training, and well designed incident response procedures for information protection and proper patching controls, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we got over the first week. All of you did an impressive job, and if any of your guys is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist