Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, along with more unnamed newcomers, not only encrypt online data files but also infect many available system backups. Information synchronized to the cloud can also be corrupted. In a vulnerable data protection solution, it can render any recovery hopeless and effectively sets the datacenter back to square one.
Retrieving services and information following a ransomware outage becomes a sprint against the clock as the victim tries its best to stop the spread and clear the crypto-ransomware and to resume mission-critical operations. Since crypto-ransomware needs time to replicate, penetrations are frequently sprung on weekends, when attacks typically take longer to discover. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable response team.
Progent provides a range of help services for protecting Charleston enterprises from crypto-ransomware penetrations. These include team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI capabilities to quickly discover and extinguish day-zero threats. Progent also can provide the services of expert ransomware recovery engineers with the skills and commitment to reconstruct a breached network as rapidly as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the keys to decrypt all your information. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The fallback is to setup from scratch the essential components of your IT environment. Absent the availability of essential information backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work continuously until the job is finished.
For decades, Progent has offered professional Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience provides Progent the ability to quickly identify critical systems and consolidate the remaining pieces of your network system after a crypto-ransomware attack and rebuild them into a functioning system.
Progent's security group uses powerful project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to put essential systems back online as soon as possible.
Customer Story: A Successful Ransomware Incident Response
A small business engaged Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state hackers, possibly using technology leaked from the United States National Security Agency. Ryuk attacks specific companies with little room for disruption and is one of the most profitable versions of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area and has around 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom (in excess of $200,000) and praying for the best, but in the end brought in Progent.
"I cannot say enough about the help Progent provided us during the most critical time of (our) businesses survival. We had little choice but to pay the criminal gangs if it wasnít for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and key applications back on-line quicker than a week was something I thought impossible. Each expert I interacted with or e-mailed at Progent was amazingly focused on getting us restored and was working 24 by 7 to bail us out."
Progent worked together with the client to quickly assess and assign priority to the essential systems that needed to be restored to make it possible to resume company functions:
To start, Progent adhered to ransomware incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the process of rebuilding Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businessesí MRP applications used SQL Server, which depends on Active Directory services for security authorization to the databases.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of needed applications. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Offline Folder Files) on team workstations in order to recover mail data. A not too old offline backup of the client's financials/MRP systems made it possible to restore these required applications back online. Although a lot of work needed to be completed to recover fully from the Ryuk attack, essential systems were returned to operations quickly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."
Over the following few weeks key milestones in the restoration project were accomplished in tight cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Server containing more than 4 million archived messages was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% restored.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the desktop computers were back into operation.
"Much of what was accomplished those first few days is nearly entirely a haze for me, but I will not forget the commitment each and every one of you put in to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."
A likely business-ending catastrophe was avoided with results-oriented experts, a wide range of subject matter expertise, and close teamwork. Although in retrospect the ransomware attack detailed here would have been identified and blocked with advanced cyber security solutions and NIST Cybersecurity Framework best practices, staff training, and properly executed security procedures for information protection and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), Iím grateful for letting me get rested after we got over the initial push. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist