Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus daily as yet unnamed viruses, not only do encryption of online files but also infiltrate any available system restores and backups. Data replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, this can render any restoration hopeless and basically sets the network back to zero.
Recovering services and data after a ransomware outage becomes a sprint against time as the targeted business fights to stop the spread and cleanup the ransomware and to resume business-critical activity. Because ransomware takes time to replicate, assaults are often launched during nights and weekends, when attacks typically take more time to notice. This multiplies the difficulty of quickly mobilizing and coordinating a capable response team.
Progent offers an assortment of support services for protecting Belo Horizonte enterprises from crypto-ransomware penetrations. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with artificial intelligence capabilities to automatically discover and suppress zero-day cyber attacks. Progent in addition can provide the services of veteran ransomware recovery professionals with the talent and perseverance to reconstruct a compromised environment as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decipher any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to re-install the key components of your IT environment. Without the availability of essential system backups, this calls for a broad complement of skill sets, professional team management, and the willingness to work non-stop until the recovery project is over.
For decades, Progent has provided professional IT services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the skills to efficiently determine necessary systems and organize the surviving pieces of your Information Technology environment after a ransomware penetration and configure them into an operational system.
Progent's recovery team of experts deploys top notch project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to get critical services back on line as fast as possible.
Business Case Study: A Successful Ransomware Intrusion Response
A small business escalated to Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly using techniques leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little or no room for operational disruption and is one of the most lucrative instances of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the attack and were destroyed. The client considered paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I cannot speak enough about the support Progent gave us during the most critical period of (our) company’s existence. We may have had to pay the criminal gangs if it wasn’t for the confidence the Progent group afforded us. The fact that you were able to get our messaging and important applications back online sooner than seven days was amazing. Every single staff member I talked with or messaged at Progent was totally committed on getting us back online and was working all day and night to bail us out."
Progent worked with the customer to quickly understand and assign priority to the mission critical services that had to be restored in order to continue business functions:
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the steps of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the client's MRP software utilized SQL Server, which needs Active Directory for access to the database.
- Active Directory (AD)
- Exchange Server
Within two days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of critical systems. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Data Files) on team PCs in order to recover mail data. A not too old off-line backup of the client's accounting/MRP systems made them able to recover these vital services back online for users. Although a lot of work needed to be completed to recover totally from the Ryuk event, critical systems were recovered quickly:
"For the most part, the production operation was never shut down and we did not miss any customer shipments."
Over the next few weeks important milestones in the restoration project were achieved through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Most of the desktop computers were fully operational.
"So much of what occurred during the initial response is mostly a haze for me, but our team will not soon forget the care all of you put in to help get our company back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a life saver."
A likely business disaster was averted by results-oriented professionals, a wide spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here should have been identified and stopped with modern cyber security technology and recognized best practices, user and IT administrator education, and properly executed incident response procedures for backup and proper patching controls, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for making it so I could get rested after we made it past the initial push. Everyone did an amazing job, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist