Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that presents an existential danger for businesses of all sizes poorly prepared for an assault. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still cause destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more unnamed newcomers, not only do encryption of on-line data but also infect most accessible system protection. Files synched to the cloud can also be rendered useless. In a poorly designed system, it can render automatic restoration hopeless and basically knocks the network back to zero.
Getting back services and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to stop the spread and cleanup the ransomware and to restore business-critical activity. Since ransomware requires time to move laterally, penetrations are often launched on weekends and holidays, when successful attacks may take longer to discover. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.
Progent has a variety of support services for protecting Aurora enterprises from ransomware events. Among these are user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and extinguish day-zero malware attacks. Progent in addition can provide the services of experienced ransomware recovery engineers with the skills and commitment to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the codes to decrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to re-install the essential parts of your IT environment. Without access to complete information backups, this requires a broad range of skills, well-coordinated team management, and the capability to work non-stop until the task is complete.
For twenty years, Progent has made available expert IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the capability to quickly ascertain necessary systems and consolidate the remaining pieces of your Information Technology environment after a ransomware penetration and configure them into an operational system.
Progent's ransomware team deploys best of breed project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and in unison with a client's management and IT resources to prioritize tasks and to put the most important services back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A business engaged Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, possibly using approaches exposed from the U.S. NSA organization. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most lucrative incarnations of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end called Progent.
"I cannot say enough about the expertise Progent gave us throughout the most stressful period of (our) businesses existence. We most likely would have paid the criminal gangs except for the confidence the Progent experts gave us. That you could get our e-mail system and critical servers back online quicker than seven days was amazing. Every single staff member I worked with or texted at Progent was amazingly focused on getting our company operational and was working non-stop to bail us out."
Progent worked hand in hand the client to quickly assess and prioritize the essential applications that had to be recovered to make it possible to continue company operations:
To begin, Progent followed AV/Malware Processes incident response best practices by isolating and cleaning systems of viruses. Progent then began the process of recovering Windows Active Directory, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not function without Active Directory, and the businesses' accounting and MRP system leveraged SQL Server, which depends on Windows AD for access to the information.
- Microsoft Active Directory
- Exchange Server
In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then performed rebuilding and storage recovery on critical servers. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on team workstations to recover mail information. A not too old off-line backup of the businesses accounting/ERP systems made it possible to recover these essential programs back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, essential systems were restored quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer sales."
During the following couple of weeks critical milestones in the restoration process were completed in tight cooperation between Progent team members and the client:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Nearly all of the user PCs were operational.
"So much of what was accomplished in the initial days is nearly entirely a fog for me, but I will not soon forget the urgency each and every one of your team accomplished to give us our company back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A possible business catastrophe was evaded due to top-tier professionals, a wide range of knowledge, and tight teamwork. Although in post mortem the ransomware virus incident described here would have been prevented with up-to-date security solutions and best practices, user and IT administrator training, and properly executed incident response procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Aurora
For ransomware system recovery services in the Aurora area, phone Progent at 800-462-8800 or go to Contact Progent.