Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an existential threat for businesses vulnerable to an attack. Different versions of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with frequent as yet unnamed newcomers, not only encrypt on-line data but also infiltrate any accessible system protection. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable system, it can render any restoration useless and effectively knocks the entire system back to zero.
Restoring applications and information following a ransomware attack becomes a sprint against time as the targeted business fights to contain the damage and clear the crypto-ransomware and to resume enterprise-critical operations. Since ransomware takes time to replicate, assaults are often sprung during weekends and nights, when penetrations tend to take more time to uncover. This multiplies the difficulty of promptly marshalling and organizing an experienced response team.
Progent makes available a range of services for securing Cambridge enterprises from ransomware penetrations. These include user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with AI capabilities to intelligently detect and suppress zero-day threats. Progent also provides the services of expert ransomware recovery professionals with the talent and commitment to rebuild a breached system as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the codes to decrypt all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to re-install the vital elements of your IT environment. Absent the availability of essential data backups, this requires a wide range of skill sets, top notch team management, and the ability to work 24x7 until the job is finished.
For decades, Progent has provided professional IT services for businesses throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience affords Progent the skills to rapidly determine necessary systems and consolidate the surviving components of your IT environment following a ransomware event and rebuild them into a functioning network.
Progent's security group has powerful project management applications to coordinate the complex restoration process. Progent appreciates the urgency of acting rapidly and together with a customerís management and Information Technology staff to prioritize tasks and to get the most important systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Response
A small business sought out Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state hackers, possibly adopting approaches leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little tolerance for disruption and is one of the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít thank you enough about the care Progent provided us throughout the most critical period of (our) businesses survival. We may have had to pay the Hackers except for the confidence the Progent group provided us. The fact that you could get our messaging and essential applications back faster than five days was earth shattering. Each expert I interacted with or messaged at Progent was laser focused on getting us back online and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly get our arms around and assign priority to the most important services that needed to be restored in order to continue departmental functions:
To start, Progent followed ransomware event response best practices by isolating and clearing up compromised systems. Progent then began the task of rebuilding Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the client's financials and MRP applications used Microsoft SQL, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange
In less than two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery on critical systems. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Email Offline Folder Files) on various desktop computers and laptops to recover mail messages. A not too old offline backup of the businesses accounting/MRP software made them able to recover these essential applications back online for users. Although a lot of work remained to recover completely from the Ryuk virus, core systems were restored quickly:
"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."
During the following few weeks important milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Server containing more than 4 million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully operational.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the user workstations were operational.
"A huge amount of what was accomplished during the initial response is mostly a fog for me, but my team will not forget the urgency each and every one of your team accomplished to give us our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."
A likely business extinction disaster was avoided with top-tier experts, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the ransomware incident detailed here should have been identified and prevented with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we made it past the initial push. Everyone did an impressive job, and if anyone is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist