Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily unnamed malware, not only do encryption of on-line data but also infect all accessible system backup. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can make automated restore operations impossible and basically sets the network back to square one.
Retrieving applications and information after a ransomware attack becomes a race against the clock as the targeted organization struggles to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical activity. Because ransomware needs time to move laterally, attacks are often sprung on weekends and holidays, when successful attacks may take longer to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.
Progent offers an assortment of support services for securing Anaheim enterprises from ransomware attacks. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with AI technology to quickly detect and disable new cyber attacks. Progent also can provide the services of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the critical components of your IT environment. Absent access to complete information backups, this requires a broad range of skills, professional project management, and the capability to work continuously until the task is completed.
For decades, Progent has provided expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to knowledgably identify critical systems and organize the surviving components of your IT system following a ransomware penetration and rebuild them into a functioning system.
Progent's security team of experts uses powerful project management tools to coordinate the complex recovery process. Progent appreciates the urgency of acting quickly and together with a client's management and Information Technology resources to assign priority to tasks and to get key applications back online as soon as possible.
Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer hired Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly using techniques exposed from Americaís NSA organization. Ryuk targets specific companies with limited ability to sustain disruption and is among the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the attack and were damaged. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough in regards to the help Progent gave us throughout the most stressful period of (our) companyís life. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. That you could get our e-mail and important servers back quicker than seven days was incredible. Every single person I got help from or communicated with at Progent was absolutely committed on getting us working again and was working all day and night to bail us out."
Progent worked with the customer to rapidly identify and prioritize the critical elements that needed to be addressed in order to continue business functions:
To start, Progent adhered to AV/Malware Processes incident response best practices by isolating and clearing infected systems. Progent then began the process of rebuilding Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the client's accounting and MRP system used Microsoft SQL, which needs Active Directory services for authentication to the information.
- Windows Active Directory
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery of essential applications. All Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Data Files) on various workstations to recover mail information. A recent offline backup of the client's manufacturing systems made it possible to recover these essential services back online. Although significant work remained to recover fully from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
Over the following month important milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely functional.
- A new Palo Alto 850 firewall was deployed.
- Most of the desktop computers were being used by staff.
"So much of what occurred those first few days is mostly a fog for me, but our team will not soon forget the dedication all of the team accomplished to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This time was a life saver."
A potential business-ending disaster was averted by top-tier professionals, a wide array of knowledge, and close teamwork. Although in retrospect the ransomware virus attack described here should have been prevented with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for allowing me to get rested after we got past the initial push. All of you did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist