Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus additional as yet unnamed malware, not only do encryption of online critical data but also infect many configured system backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can make automatic recovery impossible and basically sets the entire system back to zero.
Recovering applications and information after a ransomware event becomes a race against time as the targeted organization struggles to contain the damage and clear the ransomware and to resume enterprise-critical operations. Because ransomware needs time to move laterally, attacks are usually launched during nights and weekends, when successful attacks in many cases take longer to identify. This multiplies the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent has an assortment of solutions for protecting Cabo Frio organizations from ransomware events. These include team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with AI technology to intelligently detect and suppress day-zero cyber threats. Progent also can provide the services of seasoned ransomware recovery professionals with the talent and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to re-install the vital components of your Information Technology environment. Absent access to full system backups, this requires a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the job is over.
For decades, Progent has offered expert IT services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise provides Progent the skills to rapidly understand critical systems and integrate the remaining parts of your Information Technology environment following a ransomware penetration and assemble them into an operational network.
Progent's recovery group uses state-of-the-art project management tools to orchestrate the complicated recovery process. Progent understands the importance of working quickly and together with a customerís management and IT resources to assign priority to tasks and to put essential systems back on line as soon as possible.
Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly using strategies exposed from the U.S. National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is one of the most profitable incarnations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the intrusion and were damaged. The client considered paying the ransom (more than $200K) and hoping for good luck, but ultimately called Progent.
"I cannot say enough about the help Progent provided us during the most fearful time of (our) companyís life. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group provided us. That you were able to get our messaging and production applications back online in less than a week was incredible. Each expert I talked with or texted at Progent was laser focused on getting our company operational and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly assess and prioritize the mission critical systems that needed to be recovered to make it possible to resume business functions:
To begin, Progent followed AV/Malware Processes event response best practices by halting the spread and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft AD, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's MRP system utilized SQL Server, which depends on Windows AD for access to the database.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then accomplished setup and storage recovery of the most important systems. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops in order to recover email information. A not too old offline backup of the client's financials/MRP systems made them able to return these vital applications back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, core services were recovered quickly:
"For the most part, the production line operation survived unscathed and we made all customer orders."
Over the next few weeks key milestones in the recovery project were made through close collaboration between Progent consultants and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Ninety percent of the user desktops were functioning as before the incident.
"A lot of what was accomplished that first week is nearly entirely a blur for me, but I will not soon forget the dedication each of the team put in to give us our company back. Iíve been working with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This situation was a Herculean accomplishment."
A probable business disaster was evaded due to results-oriented experts, a wide spectrum of knowledge, and tight teamwork. Although in hindsight the ransomware virus attack described here would have been identified and blocked with up-to-date security technology and recognized best practices, user education, and properly executed security procedures for information backup and applying software patches, the reality is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for letting me get rested after we got past the initial fire. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist