Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses vulnerable to an assault. Multiple generations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with more unnamed malware, not only encrypt on-line files but also infect all accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can make automated restore operations impossible and basically knocks the network back to zero.
Recovering services and information following a ransomware attack becomes a race against time as the targeted organization struggles to stop lateral movement and remove the virus and to resume mission-critical operations. Because crypto-ransomware takes time to move laterally, attacks are often sprung during nights and weekends, when successful penetrations typically take longer to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.
Progent has a range of services for securing Barra da Tijuca businesses from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with AI technology to quickly discover and suppress zero-day threats. Progent also offers the services of veteran ransomware recovery consultants with the skills and perseverance to rebuild a compromised system as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decipher any of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to piece back together the key components of your Information Technology environment. Without access to essential system backups, this calls for a wide complement of skill sets, professional team management, and the ability to work 24x7 until the task is done.
For two decades, Progent has made available expert Information Technology services for companies across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to efficiently understand necessary systems and integrate the surviving pieces of your IT environment following a ransomware penetration and assemble them into an operational system.
Progent's security group utilizes powerful project management systems to coordinate the complex restoration process. Progent appreciates the importance of acting quickly and together with a client's management and IT staff to assign priority to tasks and to get essential applications back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business sought out Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, possibly adopting approaches leaked from the United States NSA organization. Ryuk goes after specific companies with little or no tolerance for disruption and is among the most lucrative iterations of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 workers. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.
"I canít say enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent team afforded us. That you were able to get our e-mail system and critical applications back faster than 1 week was something I thought impossible. Every single expert I interacted with or messaged at Progent was amazingly focused on getting us back online and was working 24/7 to bail us out."
Progent worked together with the client to quickly get our arms around and assign priority to the most important systems that needed to be recovered in order to restart business functions:
To begin, Progent followed Anti-virus penetration mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then started the steps of recovering Microsoft AD, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businessesí accounting and MRP applications used Microsoft SQL Server, which needs Active Directory services for authentication to the data.
- Microsoft Active Directory
- Electronic Messaging
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then completed reinstallations and storage recovery on needed systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Offline Data Files) on team workstations and laptops in order to recover mail data. A recent offline backup of the businesses accounting/MRP software made them able to recover these essential services back online for users. Although major work needed to be completed to recover totally from the Ryuk virus, essential services were restored quickly:
"For the most part, the production operation showed little impact and we did not miss any customer sales."
Over the next month important milestones in the recovery project were achieved through tight cooperation between Progent consultants and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Server containing more than 4 million historical emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktops and laptops were operational.
"A lot of what was accomplished in the initial days is mostly a blur for me, but our team will not soon forget the care each and every one of your team accomplished to give us our business back. Iíve been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was a life saver."
A possible business disaster was evaded by top-tier professionals, a wide array of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware penetration described here would have been prevented with up-to-date cyber security systems and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we got over the initial fire. Everyone did an impressive effort, and if anyone is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Barra da Tijuca
For ransomware system restoration consulting in the Barra da Tijuca area, call Progent at 800-462-8800 or go to Contact Progent.