Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an existential threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as daily unnamed viruses, not only do encryption of online data files but also infect all accessible system protection mechanisms. Files synchronized to cloud environments can also be ransomed. In a poorly designed environment, this can render automated recovery impossible and effectively sets the entire system back to square one.
Retrieving programs and information following a ransomware attack becomes a race against the clock as the victim tries its best to contain the damage and eradicate the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to spread, assaults are frequently launched on weekends, when successful attacks tend to take longer to identify. This multiplies the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent offers a variety of help services for securing Barra da Tijuca enterprises from crypto-ransomware penetrations. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat defense to identify and suppress zero-day malware assaults. Progent also offers the services of experienced ransomware recovery consultants with the skills and perseverance to reconstruct a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the codes to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to piece back together the key components of your IT environment. Absent the availability of full data backups, this requires a wide complement of skills, well-coordinated team management, and the willingness to work 24x7 until the job is finished.
For twenty years, Progent has offered professional Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the skills to quickly identify necessary systems and integrate the surviving parts of your IT environment after a ransomware penetration and configure them into a functioning network.
Progent's security team has top notch project management tools to coordinate the complex restoration process. Progent knows the urgency of working rapidly and in unison with a customer's management and IT resources to assign priority to tasks and to put the most important services back on-line as soon as possible.
Customer Story: A Successful Ransomware Virus Response
A small business contacted Progent after their company was crashed by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored hackers, suspected of adopting techniques exposed from America's National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 employees. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's backups had been online at the start of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but in the end engaged Progent.
"I can't tell you enough about the care Progent provided us during the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. The fact that you could get our messaging and critical servers back online faster than a week was earth shattering. Every single expert I interacted with or texted at Progent was urgently focused on getting us restored and was working 24 by 7 on our behalf."
Progent worked with the customer to quickly get our arms around and assign priority to the essential areas that needed to be recovered to make it possible to resume departmental operations:
To get going, Progent adhered to Anti-virus penetration mitigation best practices by isolating and clearing infected systems. Progent then started the work of recovering Windows Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businesses' financials and MRP software leveraged Microsoft SQL, which depends on Active Directory for security authorization to the data.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on mission critical servers. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations and laptops in order to recover email data. A not too old offline backup of the client's financials/MRP software made it possible to recover these vital applications back on-line. Although a lot of work needed to be completed to recover totally from the Ryuk damage, the most important services were recovered quickly:
"For the most part, the production line operation showed little impact and we produced all customer shipments."
During the next couple of weeks important milestones in the restoration project were achieved in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were restored without losing any data.
- The MailStore Exchange Server containing more than 4 million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were fully restored.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the desktops and laptops were operational.
"A lot of what went on in the initial days is nearly entirely a blur for me, but I will not forget the urgency each and every one of your team accomplished to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This time was a stunning achievement."
A possible business extinction disaster was avoided by dedicated professionals, a broad range of technical expertise, and close collaboration. Although in post mortem the ransomware attack described here should have been blocked with modern cyber security technology solutions and best practices, staff training, and well thought out security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we got over the initial fire. Everyone did an impressive effort, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Barra da Tijuca
For ransomware system restoration consulting services in the Barra da Tijuca area, call Progent at 800-462-8800 or visit Contact Progent.