Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses of all sizes poorly prepared for an assault. Versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with frequent as yet unnamed viruses, not only do encryption of online critical data but also infiltrate any configured system backup. Data replicated to the cloud can also be rendered useless. In a vulnerable environment, it can render automatic recovery impossible and effectively knocks the network back to zero.
Getting back online applications and data after a ransomware attack becomes a race against the clock as the targeted organization struggles to contain the damage and eradicate the virus and to resume business-critical operations. Since ransomware takes time to replicate, attacks are usually sprung at night, when attacks in many cases take more time to notice. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.
Progent provides a variety of solutions for protecting Cabo Frio organizations from ransomware attacks. These include team member training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning technology to rapidly identify and suppress new cyber threats. Progent in addition offers the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a breached environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the keys to unencrypt any or all of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide complement of skill sets, professional project management, and the capability to work continuously until the job is over.
For two decades, Progent has made available professional IT services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly identify critical systems and integrate the remaining pieces of your Information Technology environment after a ransomware attack and rebuild them into an operational system.
Progent's recovery group deploys top notch project management applications to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to put the most important applications back on-line as soon as possible.
Case Study: A Successful Ransomware Attack Recovery
A small business sought out Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, suspected of using technology exposed from the U.S. NSA organization. Ryuk attacks specific businesses with little tolerance for operational disruption and is among the most lucrative versions of ransomware malware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the attack and were encrypted. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but in the end reached out to Progent.
"I canít say enough in regards to the help Progent gave us throughout the most critical period of (our) companyís life. We most likely would have paid the Hackers except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and critical applications back on-line quicker than seven days was incredible. Every single person I interacted with or communicated with at Progent was laser focused on getting us back on-line and was working non-stop to bail us out."
Progent worked with the client to rapidly get our arms around and prioritize the key services that needed to be restored to make it possible to resume business functions:
To begin, Progent adhered to Anti-virus incident response industry best practices by stopping the spread and disinfecting systems. Progent then started the process of recovering Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Exchange email will not operate without Windows AD, and the client's financials and MRP applications utilized Microsoft SQL Server, which depends on Active Directory for authentication to the information.
- Microsoft Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on mission critical servers. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on staff workstations to recover email data. A not too old offline backup of the customerís accounting/ERP software made it possible to recover these essential programs back online. Although a large amount of work still had to be done to recover totally from the Ryuk damage, essential systems were returned to operations quickly:
"For the most part, the production operation did not miss a beat and we produced all customer orders."
Throughout the following couple of weeks important milestones in the restoration process were achieved in close collaboration between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were completely functional.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the user workstations were being used by staff.
"So much of what was accomplished that first week is nearly entirely a blur for me, but my management will not soon forget the care each of the team put in to help get our business back. Iíve trusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This event was a stunning achievement."
A potential business-killing catastrophe was averted due to hard-working experts, a wide range of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here could have been identified and disabled with current security technology solutions and security best practices, user and IT administrator training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we made it over the most critical parts. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist