Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations unprepared for an assault. Versions of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more unnamed viruses, not only encrypt online data but also infect all accessible system backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can render automatic restore operations useless and effectively sets the network back to square one.
Restoring services and data following a ransomware outage becomes a sprint against the clock as the victim fights to contain and eradicate the ransomware and to resume business-critical operations. Because ransomware takes time to move laterally, attacks are usually sprung during nights and weekends, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent offers a variety of solutions for securing Beverly Hills businesses from ransomware events. Among these are staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security appliances with machine learning technology to rapidly detect and suppress day-zero threats. Progent also offers the services of expert ransomware recovery professionals with the talent and commitment to reconstruct a breached environment as rapidly as possible.
Progent's Ransomware Recovery Help
After a ransomware event, sending the ransom in cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decrypt any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the essential parts of your Information Technology environment. Without access to full data backups, this requires a broad range of skills, top notch project management, and the capability to work 24x7 until the task is completed.
For two decades, Progent has made available professional IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to knowledgably determine critical systems and organize the remaining pieces of your computer network environment after a crypto-ransomware event and configure them into an operational network.
Progent's recovery team deploys top notch project management tools to coordinate the complicated recovery process. Progent understands the importance of acting rapidly and in concert with a client's management and IT resources to assign priority to tasks and to put the most important applications back online as fast as humanly possible.
Customer Story: A Successful Ransomware Attack Response
A business sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk seeks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative examples of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for good luck, but in the end engaged Progent.
"I cannot speak enough about the care Progent provided us throughout the most stressful period of (our) companyís life. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and critical applications back into operation in less than 1 week was incredible. Each staff member I worked with or texted at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked hand in hand the customer to quickly get our arms around and assign priority to the critical elements that needed to be restored to make it possible to resume company operations:
To get going, Progent followed ransomware event mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the work of rebuilding Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the customerís accounting and MRP system utilized SQL Server, which depends on Active Directory services for access to the databases.
- Active Directory
- Microsoft Exchange Server
- MRP System
In less than 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on critical servers. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Folder Files) on various desktop computers to recover mail messages. A not too old off-line backup of the customerís accounting/ERP systems made it possible to return these vital applications back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, critical systems were recovered quickly:
"For the most part, the assembly line operation never missed a beat and we produced all customer deliverables."
During the following couple of weeks important milestones in the recovery project were accomplished in close cooperation between Progent consultants and the client:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were fully operational.
- A new Palo Alto 850 firewall was set up.
- Most of the desktop computers were being used by staff.
"A huge amount of what was accomplished those first few days is nearly entirely a blur for me, but my team will not soon forget the dedication each and every one of you put in to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This situation was a testament to your capabilities."
A probable business-killing catastrophe was averted with top-tier experts, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware virus penetration detailed here would have been identified and prevented with modern security systems and best practices, staff education, and properly executed security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has proven experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thanks very much for letting me get rested after we made it over the most critical parts. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist