Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyberplague that presents an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily as yet unnamed newcomers, not only do encryption of online information but also infiltrate any configured system restores and backups. Information synched to cloud environments can also be ransomed. In a vulnerable system, it can render automatic restoration hopeless and basically knocks the entire system back to zero.
Retrieving services and data following a crypto-ransomware outage becomes a race against time as the targeted business struggles to contain the damage and clear the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are often sprung at night, when penetrations may take more time to detect. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent offers an assortment of support services for securing Atlanta enterprises from ransomware attacks. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning technology to intelligently discover and quarantine day-zero cyber threats. Progent also offers the assistance of experienced ransomware recovery engineers with the track record and perseverance to re-deploy a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to re-install the essential parts of your IT environment. Absent the availability of full system backups, this calls for a wide complement of IT skills, top notch project management, and the ability to work continuously until the job is complete.
For decades, Progent has provided certified expert Information Technology services for companies throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience gives Progent the capability to quickly identify critical systems and organize the surviving components of your network system following a crypto-ransomware penetration and configure them into an operational system.
Progent's security group utilizes powerful project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and in unison with a customerís management and Information Technology staff to prioritize tasks and to get the most important systems back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Incident Response
A business escalated to Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with limited room for operational disruption and is among the most profitable iterations of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with about 500 employees. The Ryuk penetration had frozen all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
"I canít tell you enough about the help Progent gave us during the most stressful period of (our) businesses life. We would have paid the criminal gangs if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and essential servers back into operation sooner than 1 week was beyond my wildest dreams. Every single consultant I talked with or communicated with at Progent was absolutely committed on getting us back on-line and was working at all hours to bail us out."
Progent worked with the customer to quickly determine and prioritize the critical applications that needed to be addressed to make it possible to continue business operations:
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and performing virus removal steps. Progent then started the task of restoring Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the customerís accounting and MRP system used Microsoft SQL, which requires Windows AD for security authorization to the databases.
- Active Directory
- Electronic Mail
Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then assisted with setup and storage recovery on needed servers. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Off-Line Data Files) on user workstations and laptops to recover mail messages. A recent offline backup of the businesses financials/MRP software made them able to restore these essential services back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, essential services were returned to operations quickly:
"For the most part, the manufacturing operation never missed a beat and we made all customer deliverables."
Throughout the next couple of weeks critical milestones in the restoration process were achieved through tight collaboration between Progent consultants and the customer:
- Internal web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was brought online and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 firewall was set up.
- 90% of the user workstations were back into operation.
"A lot of what was accomplished that first week is mostly a blur for me, but I will not forget the urgency each and every one of your team put in to give us our company back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was a Herculean accomplishment."
A possible business disaster was evaded through the efforts of hard-working experts, a wide range of IT skills, and close collaboration. Although in post mortem the ransomware virus penetration described here would have been blocked with modern security solutions and security best practices, staff training, and well thought out security procedures for data backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for allowing me to get some sleep after we got through the first week. Everyone did an incredible job, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist