Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and still inflict damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent unnamed viruses, not only encrypt online data files but also infiltrate any accessible system restores and backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, this can render automatic restore operations impossible and basically knocks the network back to square one.
Getting back on-line applications and data following a ransomware attack becomes a sprint against the clock as the targeted business struggles to contain the damage and remove the virus and to resume mission-critical operations. Because ransomware takes time to spread, attacks are often sprung on weekends, when attacks tend to take more time to detect. This multiplies the difficulty of quickly assembling and organizing a capable response team.
Progent has an assortment of services for protecting Bristol organizations from ransomware events. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with AI technology to intelligently identify and quarantine zero-day threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery consultants with the talent and perseverance to restore a breached system as quickly as possible.
Progent's Ransomware Recovery Help
After a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decipher any or all of your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the critical elements of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skills, professional project management, and the willingness to work continuously until the recovery project is over.
For decades, Progent has made available professional IT services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise provides Progent the skills to knowledgably ascertain necessary systems and re-organize the surviving parts of your computer network system after a crypto-ransomware event and rebuild them into an operational network.
Progent's recovery team has top notch project management systems to orchestrate the complex restoration process. Progent understands the urgency of working swiftly and in unison with a customerís management and Information Technology resources to assign priority to tasks and to get key applications back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, suspected of using algorithms leaked from the United States NSA organization. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most profitable versions of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.
"I canít tell you enough in regards to the expertise Progent gave us during the most stressful period of (our) businesses existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. That you could get our messaging and important servers back on-line faster than one week was incredible. Every single person I talked with or messaged at Progent was absolutely committed on getting our company operational and was working non-stop to bail us out."
Progent worked together with the customer to quickly understand and prioritize the mission critical applications that needed to be recovered in order to resume departmental operations:
To start, Progent followed AV/Malware Processes penetration response best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of recovering Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not work without Active Directory, and the customerís MRP system utilized SQL Server, which requires Windows AD for access to the data.
- Windows Active Directory
- Microsoft Exchange Email
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then assisted with setup and storage recovery of needed systems. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on user desktop computers in order to recover email messages. A recent offline backup of the client's accounting/MRP systems made it possible to return these essential services back available to users. Although significant work still had to be done to recover totally from the Ryuk damage, core services were recovered quickly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer deliverables."
During the following couple of weeks important milestones in the recovery project were achieved in tight cooperation between Progent engineers and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Exchange Server with over four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the desktops and laptops were functioning as before the incident.
"Much of what happened in the early hours is nearly entirely a fog for me, but my team will not forget the care all of you accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This time was a life saver."
A possible business-killing disaster was evaded by top-tier professionals, a broad array of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware incident described here would have been identified and disabled with advanced cyber security solutions and NIST Cybersecurity Framework best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for making it so I could get rested after we got through the first week. Everyone did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Bristol
For ransomware system restoration consulting services in the Bristol metro area, phone Progent at 800-462-8800 or visit Contact Progent.