Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses vulnerable to an attack. Versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line critical data but also infect all available system restores and backups. Files synchronized to cloud environments can also be rendered useless. In a poorly designed system, it can render automatic recovery hopeless and basically sets the network back to square one.
Getting back on-line applications and information after a crypto-ransomware event becomes a race against time as the targeted organization tries its best to stop the spread and cleanup the virus and to resume business-critical operations. Due to the fact that ransomware requires time to spread, penetrations are usually launched on weekends and holidays, when successful penetrations are likely to take more time to recognize. This multiplies the difficulty of promptly assembling and orchestrating a knowledgeable response team.
Progent makes available an assortment of services for protecting Birmingham businesses from crypto-ransomware attacks. These include team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence technology to automatically detect and extinguish zero-day threats. Progent also offers the services of veteran crypto-ransomware recovery engineers with the skills and commitment to rebuild a breached network as urgently as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to decrypt any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to piece back together the vital elements of your Information Technology environment. Without access to complete system backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is complete.
For decades, Progent has provided professional IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience affords Progent the skills to quickly identify critical systems and organize the surviving pieces of your Information Technology system after a crypto-ransomware penetration and assemble them into a functioning network.
Progent's ransomware team of experts deploys powerful project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and IT staff to assign priority to tasks and to put the most important services back online as fast as possible.
Customer Story: A Successful Ransomware Intrusion Restoration
A small business engaged Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting approaches leaked from Americaís National Security Agency. Ryuk attacks specific companies with little room for disruption and is among the most profitable iterations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has about 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (more than $200,000) and praying for good luck, but ultimately brought in Progent.
"I cannot thank you enough in regards to the help Progent provided us throughout the most critical period of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent team provided us. That you were able to get our e-mail and essential servers back quicker than a week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was amazingly focused on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked with the client to quickly determine and assign priority to the mission critical services that needed to be restored in order to resume company operations:
To get going, Progent adhered to AV/Malware Processes event response industry best practices by stopping the spread and clearing up compromised systems. Progent then started the work of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without Windows AD, and the businessesí financials and MRP applications utilized Microsoft SQL, which needs Windows AD for security authorization to the database.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with reinstallations and storage recovery on needed systems. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Offline Data Files) on various workstations to recover mail information. A recent offline backup of the customerís accounting/ERP systems made it possible to restore these essential applications back available to users. Although a lot of work was left to recover completely from the Ryuk attack, critical systems were restored rapidly:
"For the most part, the production operation ran fairly normal throughout and we made all customer sales."
During the following month important milestones in the restoration project were made in close collaboration between Progent engineers and the client:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the user workstations were functioning as before the incident.
"A huge amount of what transpired during the initial response is nearly entirely a haze for me, but my management will not soon forget the dedication each and every one of the team accomplished to help get our business back. I have been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A possible business extinction catastrophe was dodged through the efforts of results-oriented professionals, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack detailed here could have been blocked with modern cyber security systems and ISO/IEC 27001 best practices, user education, and well designed incident response procedures for data backup and proper patching controls, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get rested after we got through the initial push. All of you did an fabulous job, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Birmingham
For ransomware recovery consulting in the Birmingham area, phone Progent at 800-462-8800 or visit Contact Progent.