Ransomware : Your Crippling IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus frequent as yet unnamed malware, not only do encryption of online files but also infiltrate most accessible system protection mechanisms. Information replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, this can render any restore operations impossible and basically knocks the network back to square one.
Restoring services and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical operations. Because crypto-ransomware requires time to spread, assaults are usually sprung during weekends and nights, when successful attacks may take longer to recognize. This multiplies the difficulty of quickly assembling and organizing a capable mitigation team.
Progent makes available a range of services for protecting Brooklyn organizations from ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security appliances with artificial intelligence technology to intelligently discover and suppress zero-day cyber threats. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and perseverance to restore a breached network as rapidly as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed keys to decipher any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The fallback is to piece back together the vital elements of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide range of IT skills, top notch project management, and the capability to work non-stop until the recovery project is done.
For decades, Progent has provided certified expert IT services for companies throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the ability to efficiently determine important systems and consolidate the remaining pieces of your IT system following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security team has top notch project management tools to coordinate the complex restoration process. Progent knows the importance of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to put the most important applications back online as soon as humanly possible.
Case Study: A Successful Ransomware Virus Response
A small business engaged Progent after their company was brought down by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, suspected of using technology exposed from Americaís NSA organization. Ryuk targets specific businesses with little or no tolerance for disruption and is one of the most lucrative versions of crypto-ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot tell you enough about the expertise Progent gave us during the most critical time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and critical applications back online faster than five days was beyond my wildest dreams. Each staff member I talked with or e-mailed at Progent was urgently focused on getting our company operational and was working day and night on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the critical applications that had to be recovered in order to continue business operations:
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then started the steps of rebuilding Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without AD, and the businessesí financials and MRP system used SQL Server, which depends on Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Exchange Server
Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of critical applications. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops to recover email messages. A not too old off-line backup of the client's financials/MRP systems made them able to restore these vital applications back servicing users. Although major work remained to recover totally from the Ryuk event, critical systems were restored quickly:
"For the most part, the production line operation did not miss a beat and we made all customer orders."
Over the following couple of weeks critical milestones in the recovery project were accomplished in close collaboration between Progent team members and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% functional.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user PCs were fully operational.
"Much of what transpired those first few days is mostly a blur for me, but I will not forget the care all of your team put in to help get our business back. Iíve trusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."
A potential enterprise-killing disaster was dodged with dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware penetration detailed here would have been identified and prevented with modern security solutions and security best practices, user and IT administrator training, and well thought out security procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get some sleep after we made it past the most critical parts. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Brooklyn
For ransomware cleanup consulting in the Brooklyn metro area, phone Progent at 800-462-8800 or see Contact Progent.