Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with additional as yet unnamed newcomers, not only encrypt online data files but also infiltrate many available system protection. Data synched to cloud environments can also be ransomed. In a poorly designed environment, it can make automatic recovery impossible and basically knocks the entire system back to zero.
Retrieving services and data after a crypto-ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement and eradicate the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware needs time to replicate, attacks are usually sprung at night, when penetrations may take more time to discover. This compounds the difficulty of rapidly assembling and orchestrating a qualified mitigation team.
Progent has an assortment of help services for protecting Aurora businesses from ransomware attacks. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with artificial intelligence technology to rapidly detect and extinguish day-zero cyber threats. Progent also offers the assistance of veteran crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached system as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to decrypt all your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to piece back together the critical parts of your IT environment. Without access to complete system backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work 24x7 until the task is complete.
For twenty years, Progent has made available certified expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the capability to quickly determine important systems and re-organize the surviving components of your IT system after a ransomware penetration and rebuild them into an operational system.
Progent's recovery group utilizes state-of-the-art project management applications to orchestrate the complex restoration process. Progent understands the importance of working rapidly and in unison with a customerís management and IT staff to prioritize tasks and to put critical services back on-line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Attack Response
A business engaged Progent after their network system was taken over by Ryuk ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of using approaches exposed from the U.S. NSA organization. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most lucrative instances of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately engaged Progent.
"I canít tell you enough about the expertise Progent provided us during the most stressful time of (our) businesses life. We had little choice but to pay the Hackers except for the confidence the Progent team afforded us. That you could get our messaging and critical applications back online quicker than one week was earth shattering. Each staff member I spoke to or e-mailed at Progent was absolutely committed on getting our company operational and was working breakneck pace on our behalf."
Progent worked with the client to quickly understand and assign priority to the most important systems that had to be recovered in order to resume business functions:
To start, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the process of recovering Windows Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not work without AD, and the businessesí financials and MRP applications leveraged SQL Server, which depends on Windows AD for security authorization to the database.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of needed systems. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on team desktop computers and laptops in order to recover email information. A recent offline backup of the businesses financials/MRP systems made them able to return these required programs back on-line. Although a lot of work was left to recover completely from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."
Throughout the following month key milestones in the recovery project were made through close cooperation between Progent engineers and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% restored.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user desktops and notebooks were operational.
"Much of what went on in the initial days is nearly entirely a haze for me, but we will not forget the urgency all of you put in to give us our company back. Iíve been working together with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This event was a testament to your capabilities."
A possible business-killing disaster was averted due to dedicated professionals, a wide spectrum of technical expertise, and close teamwork. Although upon completion of forensics the ransomware attack described here could have been identified and prevented with modern security solutions and ISO/IEC 27001 best practices, user education, and well designed security procedures for data backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for letting me get rested after we got past the most critical parts. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist