Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus additional as yet unnamed newcomers, not only do encryption of online data but also infiltrate many accessible system protection. Files synched to the cloud can also be rendered useless. In a poorly architected system, this can render any restore operations useless and basically knocks the datacenter back to zero.
Recovering services and information following a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to contain and clear the ransomware and to restore enterprise-critical activity. Because ransomware takes time to replicate, penetrations are frequently sprung during weekends and nights, when penetrations tend to take more time to discover. This multiplies the difficulty of quickly assembling and coordinating a qualified response team.
Progent has a variety of help services for protecting Cleveland enterprises from ransomware penetrations. Among these are team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning technology to automatically detect and quarantine day-zero threats. Progent also provides the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to rebuild a breached network as soon as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to unencrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to piece back together the critical elements of your IT environment. Without the availability of full system backups, this calls for a wide range of skills, professional project management, and the ability to work non-stop until the recovery project is finished.
For two decades, Progent has made available expert Information Technology services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise provides Progent the skills to knowledgably determine critical systems and organize the remaining parts of your Information Technology system following a ransomware event and assemble them into an operational system.
Progent's security team deploys powerful project management systems to orchestrate the complicated recovery process. Progent understands the urgency of acting quickly and together with a client's management and IT resources to prioritize tasks and to get key services back on-line as fast as possible.
Customer Story: A Successful Ransomware Attack Recovery
A client escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little or no tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I canít tell you enough in regards to the expertise Progent gave us throughout the most critical time of (our) businesses survival. We would have paid the cyber criminals if it wasnít for the confidence the Progent group afforded us. That you could get our messaging and critical servers back on-line quicker than 1 week was amazing. Each person I interacted with or messaged at Progent was absolutely committed on getting us operational and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the critical applications that had to be recovered in order to resume departmental functions:
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and removing active viruses. Progent then initiated the steps of restoring Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businessesí MRP system used Microsoft SQL Server, which requires Windows AD for security authorization to the database.
- Microsoft Active Directory
- Exchange Server
- MRP System
Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery on critical applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find intact OST data files (Outlook Email Off-Line Data Files) on staff workstations to recover mail messages. A not too old off-line backup of the customerís manufacturing software made it possible to restore these vital programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, essential services were returned to operations quickly:
"For the most part, the production line operation survived unscathed and we made all customer shipments."
During the following few weeks key milestones in the restoration process were accomplished in close cooperation between Progent consultants and the customer:
- Internal web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server with over four million historical emails was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the user PCs were functioning as before the incident.
"A lot of what occurred in the early hours is nearly entirely a fog for me, but I will not soon forget the urgency each of you accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was a stunning achievement."
A potential business-ending catastrophe was evaded with top-tier professionals, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the ransomware penetration described here could have been shut down with modern security solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we got past the most critical parts. All of you did an incredible job, and if anyone is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist