Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to inflict harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily unnamed malware, not only encrypt online files but also infect any accessible system protection. Files synchronized to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automated restoration impossible and effectively sets the entire system back to square one.
Getting back on-line programs and information following a ransomware event becomes a race against time as the targeted organization struggles to stop the spread and remove the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware takes time to replicate, attacks are often launched during nights and weekends, when penetrations typically take more time to uncover. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.
Progent provides an assortment of solutions for securing Atlanta enterprises from ransomware events. These include team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to detect and suppress day-zero malware assaults. Progent also provides the assistance of expert ransomware recovery engineers with the skills and commitment to reconstruct a compromised system as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed keys to decipher all your information. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The other path is to piece back together the mission-critical parts of your IT environment. Absent access to complete information backups, this requires a wide complement of skill sets, top notch team management, and the willingness to work non-stop until the recovery project is done.
For twenty years, Progent has made available certified expert IT services for businesses across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience gives Progent the skills to efficiently ascertain important systems and integrate the remaining components of your computer network environment following a crypto-ransomware attack and assemble them into an operational network.
Progent's security team has best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put key systems back on line as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A small business hired Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, suspected of adopting strategies exposed from the United States NSA organization. Ryuk goes after specific companies with little tolerance for disruption and is among the most profitable incarnations of crypto-ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.
"I can't speak enough in regards to the support Progent provided us during the most critical time of (our) company's existence. We had little choice but to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and important applications back online quicker than five days was incredible. Each expert I talked with or messaged at Progent was totally committed on getting our company operational and was working at all hours to bail us out."
Progent worked with the client to rapidly get our arms around and prioritize the critical areas that needed to be recovered to make it possible to resume business operations:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and disinfecting systems. Progent then began the process of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the customer's MRP system used SQL Server, which needs Active Directory services for security authorization to the information.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery of needed systems. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Offline Data Files) on various desktop computers and laptops to recover mail data. A not too old off-line backup of the customer's accounting/MRP systems made them able to restore these essential applications back servicing users. Although significant work was left to recover completely from the Ryuk attack, critical systems were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we delivered all customer sales."
Over the next month important milestones in the restoration project were made in tight cooperation between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the user desktops were being used by staff.
"A huge amount of what happened during the initial response is nearly entirely a haze for me, but my team will not forget the care each of you put in to help get our business back. I've been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A potential company-ending disaster was evaded due to hard-working professionals, a wide range of subject matter expertise, and tight collaboration. Although in post mortem the ransomware attack described here could have been stopped with up-to-date security technology and recognized best practices, user education, and well thought out incident response procedures for backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), I'm grateful for making it so I could get some sleep after we got over the initial push. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Atlanta
For ransomware system restoration consulting in the Atlanta area, phone Progent at 800-462-8800 or go to Contact Progent.