Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations unprepared for an attack. Different versions of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with daily unnamed malware, not only do encryption of online data files but also infect many accessible system protection mechanisms. Data synchronized to cloud environments can also be ransomed. In a poorly architected system, it can make any restore operations impossible and basically knocks the entire system back to zero.
Recovering applications and information following a ransomware outage becomes a race against the clock as the targeted business tries its best to contain and cleanup the crypto-ransomware and to restore mission-critical activity. Because ransomware needs time to replicate, assaults are frequently launched on weekends and holidays, when successful penetrations typically take longer to discover. This multiplies the difficulty of quickly marshalling and coordinating a capable response team.
Progent has an assortment of help services for securing Cabo Frio enterprises from ransomware events. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based threat defense to discover and quarantine zero-day modern malware assaults. Progent also offers the services of expert ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher all your files. Kaspersky determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The other path is to re-install the mission-critical components of your Information Technology environment. Without the availability of full system backups, this calls for a wide range of skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is complete.
For two decades, Progent has offered certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably determine important systems and consolidate the surviving parts of your Information Technology system after a ransomware event and rebuild them into a functioning system.
Progent's recovery group deploys top notch project management systems to coordinate the complex recovery process. Progent knows the importance of acting quickly and in concert with a client's management and IT team members to assign priority to tasks and to get the most important applications back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Incident Response
A client contacted Progent after their company was attacked by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored hackers, possibly adopting approaches leaked from America's NSA organization. Ryuk attacks specific companies with little or no room for disruption and is one of the most profitable instances of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I cannot thank you enough about the care Progent gave us during the most critical time of (our) company's existence. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group afforded us. That you could get our messaging and important servers back sooner than five days was incredible. Each staff member I talked with or e-mailed at Progent was totally committed on getting us back online and was working at all hours to bail us out."
Progent worked hand in hand the customer to quickly understand and assign priority to the most important systems that needed to be addressed in order to continue company functions:
To begin, Progent adhered to ransomware penetration mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the customer's MRP software utilized Microsoft SQL Server, which requires Windows AD for security authorization to the data.
- Active Directory (AD)
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on essential systems. All Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Data Files) on team desktop computers and laptops in order to recover email information. A not too old offline backup of the customer's accounting software made them able to recover these essential programs back servicing users. Although major work needed to be completed to recover fully from the Ryuk event, the most important systems were recovered quickly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer sales."
Throughout the following few weeks important milestones in the restoration process were accomplished in close cooperation between Progent team members and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Exchange Server exceeding 4 million archived emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktops and laptops were operational.
"So much of what transpired that first week is nearly entirely a fog for me, but our team will not forget the care each of you put in to give us our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was the most impressive ever."
A probable business catastrophe was dodged by dedicated experts, a broad range of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack detailed here could have been identified and prevented with modern cyber security technology solutions and recognized best practices, team education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for allowing me to get some sleep after we got over the initial fire. Everyone did an incredible job, and if anyone is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Cabo Frio
For ransomware recovery consulting in the Cabo Frio area, call Progent at 800-462-8800 or go to Contact Progent.