Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an existential danger for businesses poorly prepared for an assault. Versions of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still cause harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as additional as yet unnamed viruses, not only do encryption of on-line data but also infect any available system protection. Information synched to the cloud can also be corrupted. In a poorly architected data protection solution, this can make automated restore operations impossible and effectively knocks the network back to square one.
Retrieving programs and data following a ransomware attack becomes a sprint against the clock as the victim tries its best to contain the damage and cleanup the virus and to restore mission-critical activity. Since crypto-ransomware requires time to spread, assaults are usually launched during nights and weekends, when attacks may take more time to detect. This compounds the difficulty of quickly assembling and orchestrating a qualified mitigation team.
Progent offers a variety of services for securing Chesapeake businesses from crypto-ransomware events. Among these are staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with artificial intelligence technology to rapidly identify and quarantine new threats. Progent also provides the services of seasoned ransomware recovery engineers with the talent and perseverance to reconstruct a compromised system as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any or all of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the vital parts of your Information Technology environment. Without access to essential system backups, this requires a broad range of IT skills, professional team management, and the capability to work 24x7 until the job is complete.
For two decades, Progent has offered professional IT services for businesses across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the capability to rapidly identify important systems and organize the remaining parts of your Information Technology environment following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's recovery team has top notch project management systems to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to put critical applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A small business contacted Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state hackers, suspected of using technology exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is one of the most profitable examples of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has around 500 employees. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's data backups had been online at the start of the attack and were encrypted. The client considered paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end brought in Progent.
"I canít speak enough about the help Progent provided us during the most critical period of (our) businesses existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. That you could get our e-mail system and production servers back on-line sooner than seven days was beyond my wildest dreams. Each consultant I spoke to or communicated with at Progent was totally committed on getting my company operational and was working at all hours on our behalf."
Progent worked hand in hand the client to rapidly assess and assign priority to the key elements that needed to be recovered in order to restart company operations:
To start, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and clearing up compromised systems. Progent then started the task of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery on needed systems. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on team desktop computers in order to recover email data. A recent offline backup of the client's financials/ERP systems made it possible to recover these essential programs back available to users. Although major work needed to be completed to recover completely from the Ryuk damage, critical systems were returned to operations rapidly:
"For the most part, the production line operation was never shut down and we delivered all customer deliverables."
Over the next couple of weeks important milestones in the recovery project were accomplished in tight cooperation between Progent team members and the customer:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were fully restored.
- A new Palo Alto 850 security appliance was installed.
- Most of the user desktops and notebooks were functioning as before the incident.
"Much of what transpired during the initial response is nearly entirely a blur for me, but we will not forget the care each of your team accomplished to help get our business back. Iíve been working with Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This event was a stunning achievement."
A probable business catastrophe was evaded through the efforts of hard-working experts, a broad spectrum of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware virus incident described here would have been identified and stopped with up-to-date cyber security technology and security best practices, staff education, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for allowing me to get some sleep after we made it over the initial fire. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist