Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses unprepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still cause havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus additional unnamed newcomers, not only do encryption of on-line data but also infiltrate any available system protection. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can make any restore operations useless and basically knocks the datacenter back to square one.
Recovering applications and data following a ransomware event becomes a race against the clock as the victim struggles to contain and eradicate the crypto-ransomware and to restore business-critical operations. Because ransomware requires time to spread, penetrations are often sprung during weekends and nights, when successful attacks may take more time to identify. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.
Progent has an assortment of services for securing Buffalo enterprises from crypto-ransomware events. Among these are team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with AI technology to automatically detect and quarantine new threats. Progent in addition can provide the assistance of expert ransomware recovery engineers with the skills and commitment to restore a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt all your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to setup from scratch the mission-critical elements of your IT environment. Without access to complete information backups, this requires a broad range of skills, well-coordinated project management, and the capability to work continuously until the job is done.
For two decades, Progent has provided professional Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the skills to rapidly understand necessary systems and re-organize the surviving parts of your IT environment after a crypto-ransomware event and assemble them into an operational network.
Progent's recovery team utilizes top notch project management systems to coordinate the complex recovery process. Progent knows the importance of working swiftly and together with a customerís management and Information Technology team members to prioritize tasks and to get key systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Response
A customer contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific companies with limited room for operational disruption and is one of the most profitable examples of ransomware malware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with around 500 employees. The Ryuk attack had frozen all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end called Progent.
"I canít say enough in regards to the support Progent gave us throughout the most stressful time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent group provided us. That you were able to get our e-mail system and production applications back online faster than five days was beyond my wildest dreams. Each consultant I got help from or texted at Progent was hell bent on getting us restored and was working 24/7 to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the mission critical applications that had to be recovered in order to continue departmental functions:
To get going, Progent adhered to Anti-virus event mitigation industry best practices by isolating and removing active viruses. Progent then began the process of restoring Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí accounting and MRP applications used Microsoft SQL Server, which requires Windows AD for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange Server
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery on needed systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on user workstations and laptops in order to recover mail messages. A not too old offline backup of the customerís manufacturing software made it possible to restore these required applications back online. Although major work needed to be completed to recover totally from the Ryuk attack, core services were recovered rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer shipments."
Over the following month critical milestones in the restoration project were completed through close cooperation between Progent engineers and the customer:
- Internal web applications were brought back up with no loss of information.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Nearly all of the user desktops were functioning as before the incident.
"Much of what happened in the early hours is nearly entirely a fog for me, but my team will not soon forget the care each and every one of your team accomplished to give us our business back. Iíve trusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."
A probable business-ending disaster was dodged due to results-oriented professionals, a wide range of knowledge, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been stopped with modern security systems and best practices, user and IT administrator training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got over the first week. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist