Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still cause destruction. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, along with frequent unnamed newcomers, not only do encryption of online information but also infect most available system backup. Data synched to the cloud can also be corrupted. In a vulnerable system, it can make automated restore operations useless and effectively sets the datacenter back to square one.
Retrieving applications and information following a crypto-ransomware attack becomes a race against the clock as the victim struggles to contain the damage and eradicate the crypto-ransomware and to restore business-critical activity. Since ransomware requires time to spread, attacks are usually sprung at night, when attacks are likely to take more time to detect. This compounds the difficulty of quickly assembling and organizing a capable response team.
Progent offers a variety of help services for protecting Chatsworth businesses from ransomware penetrations. These include user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with artificial intelligence technology to intelligently identify and disable new cyber attacks. Progent also offers the services of seasoned ransomware recovery consultants with the talent and commitment to rebuild a compromised network as quickly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to decrypt any of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to piece back together the essential components of your Information Technology environment. Absent access to full system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is done.
For twenty years, Progent has provided professional IT services for companies across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the capability to knowledgably understand important systems and re-organize the surviving parts of your IT system following a crypto-ransomware attack and assemble them into an operational system.
Progent's recovery team of experts utilizes top notch project management applications to coordinate the complicated recovery process. Progent appreciates the importance of working quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to get key services back on line as soon as possible.
Customer Story: A Successful Ransomware Penetration Restoration
A business sought out Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, possibly adopting algorithms exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is among the most profitable incarnations of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has about 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.
"I canít thank you enough in regards to the support Progent gave us during the most fearful period of (our) businesses existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent group gave us. That you could get our e-mail system and production applications back in less than a week was beyond my wildest dreams. Every single consultant I spoke to or messaged at Progent was amazingly focused on getting us restored and was working 24/7 to bail us out."
Progent worked with the client to rapidly understand and assign priority to the mission critical services that needed to be recovered in order to resume departmental functions:
To get going, Progent adhered to ransomware event response best practices by halting the spread and disinfecting systems. Progent then began the steps of rebuilding Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businessesí accounting and MRP system leveraged Microsoft SQL, which requires Active Directory for access to the database.
- Microsoft Active Directory
In less than 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then initiated reinstallations and hard drive recovery on needed applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers in order to recover mail information. A not too old offline backup of the client's financials/MRP software made them able to recover these vital applications back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, core services were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we produced all customer sales."
Over the following few weeks key milestones in the recovery process were made through close collaboration between Progent team members and the customer:
- Internal web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were fully recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the desktop computers were back into operation.
"Much of what was accomplished that first week is nearly entirely a fog for me, but my management will not soon forget the commitment all of your team accomplished to give us our business back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This time was a life saver."
A possible business-killing catastrophe was averted through the efforts of dedicated experts, a broad array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here should have been identified and stopped with advanced cyber security solutions and recognized best practices, team training, and well designed incident response procedures for data backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get rested after we got over the initial push. Everyone did an impressive effort, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist