Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyber pandemic that represents an extinction-level threat for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus daily as yet unnamed malware, not only encrypt online files but also infect all configured system protection mechanisms. Data synched to cloud environments can also be corrupted. In a poorly designed environment, it can render automated restoration hopeless and basically sets the network back to square one.
Getting back online services and data after a ransomware event becomes a race against time as the targeted organization struggles to stop the spread and eradicate the ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are often sprung during weekends and nights, when penetrations may take more time to discover. This compounds the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent offers a variety of help services for protecting Allentown businesses from ransomware penetrations. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with artificial intelligence capabilities to automatically detect and quarantine zero-day cyber threats. Progent in addition offers the assistance of veteran ransomware recovery consultants with the skills and perseverance to rebuild a compromised network as urgently as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed keys to decrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to setup from scratch the vital parts of your Information Technology environment. Absent access to essential information backups, this requires a wide complement of skills, professional team management, and the capability to work 24x7 until the job is finished.
For decades, Progent has offered professional IT services for companies throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience provides Progent the ability to quickly determine necessary systems and re-organize the surviving pieces of your Information Technology system after a ransomware attack and configure them into a functioning network.
Progent's security group has best of breed project management tools to coordinate the sophisticated recovery process. Progent knows the importance of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get critical systems back online as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Virus Response
A customer contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, suspected of adopting techniques leaked from Americaís NSA organization. Ryuk targets specific organizations with little room for operational disruption and is among the most profitable examples of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with about 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot say enough about the support Progent provided us throughout the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and key applications back on-line quicker than seven days was something I thought impossible. Each person I spoke to or communicated with at Progent was laser focused on getting us back online and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the key services that had to be addressed in order to restart business functions:
To get going, Progent followed Anti-virus incident mitigation best practices by isolating and clearing up compromised systems. Progent then began the process of bringing back online Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí financials and MRP applications utilized SQL Server, which requires Windows AD for access to the data.
- Active Directory (AD)
- MRP System
Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed reinstallations and storage recovery of essential applications. All Exchange ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Outlook Email Off-Line Data Files) on user PCs and laptops to recover mail data. A recent offline backup of the businesses financials/MRP systems made it possible to return these vital services back on-line. Although major work needed to be completed to recover completely from the Ryuk damage, the most important systems were restored rapidly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer orders."
Over the following couple of weeks important milestones in the recovery project were achieved through tight collaboration between Progent consultants and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Server containing more than 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/AP/AR/Inventory modules were 100% functional.
- A new Palo Alto 850 security appliance was brought on-line.
- 90% of the user desktops were operational.
"A lot of what was accomplished during the initial response is mostly a fog for me, but my management will not forget the countless hours each of the team accomplished to help get our business back. Iíve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This situation was a life saver."
A probable business extinction catastrophe was averted with top-tier experts, a broad range of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus penetration described here would have been stopped with modern security technology and ISO/IEC 27001 best practices, team training, and well designed incident response procedures for data backup and applying software patches, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for allowing me to get some sleep after we made it through the initial push. Everyone did an amazing job, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist