Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus more as yet unnamed malware, not only encrypt online files but also infiltrate all available system backups. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make any restore operations useless and effectively sets the datacenter back to zero.
Retrieving applications and data after a ransomware event becomes a race against time as the victim fights to contain and cleanup the ransomware and to restore business-critical activity. Since ransomware needs time to spread, attacks are frequently sprung on weekends, when successful penetrations may take more time to uncover. This compounds the difficulty of promptly mobilizing and orchestrating an experienced response team.
Progent makes available an assortment of services for securing Clearwater enterprises from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence capabilities to automatically discover and suppress day-zero cyber attacks. Progent in addition offers the services of seasoned crypto-ransomware recovery professionals with the talent and perseverance to rebuild a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The alternative is to piece back together the key components of your IT environment. Without the availability of complete data backups, this requires a wide complement of IT skills, professional project management, and the willingness to work non-stop until the task is finished.
For twenty years, Progent has provided certified expert IT services for companies across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise affords Progent the ability to quickly identify necessary systems and re-organize the surviving components of your computer network system after a crypto-ransomware event and assemble them into a functioning network.
Progent's recovery team of experts utilizes top notch project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting rapidly and together with a customerís management and IT resources to assign priority to tasks and to put key systems back on line as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business engaged Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly using approaches leaked from the United States National Security Agency. Ryuk targets specific companies with little or no room for operational disruption and is one of the most profitable instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.
"I canít say enough in regards to the help Progent gave us during the most stressful period of (our) companyís survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent experts provided us. The fact that you could get our e-mail and essential servers back on-line in less than a week was something I thought impossible. Every single expert I spoke to or messaged at Progent was totally committed on getting our company operational and was working 24/7 on our behalf."
Progent worked with the customer to quickly understand and assign priority to the key areas that had to be addressed to make it possible to resume departmental functions:
To start, Progent adhered to Anti-virus penetration mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the task of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the client's financials and MRP software utilized SQL Server, which requires Active Directory services for authentication to the data.
- Windows Active Directory
Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery on needed servers. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Offline Folder Files) on staff desktop computers to recover mail messages. A not too old offline backup of the customerís accounting/MRP software made it possible to recover these required programs back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk event, essential services were returned to operations quickly:
"For the most part, the production operation showed little impact and we made all customer sales."
Throughout the following few weeks critical milestones in the recovery project were accomplished through close cooperation between Progent team members and the customer:
- Internal web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the desktop computers were back into operation.
"A huge amount of what happened that first week is nearly entirely a haze for me, but we will not forget the commitment all of your team put in to give us our business back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered. This time was a life saver."
A possible business extinction disaster was evaded through the efforts of results-oriented professionals, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been identified and prevented with advanced cyber security solutions and best practices, user education, and well thought out incident response procedures for information backup and applying software patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for allowing me to get rested after we got over the most critical parts. All of you did an impressive effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist