Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an extinction-level threat for organizations poorly prepared for an attack. Different versions of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as additional unnamed newcomers, not only encrypt on-line critical data but also infect all configured system protection. Information replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can make automated restoration impossible and effectively sets the network back to zero.
Recovering applications and data after a ransomware outage becomes a race against the clock as the targeted organization fights to contain and eradicate the ransomware and to resume business-critical operations. Because ransomware needs time to replicate, assaults are usually sprung at night, when successful attacks typically take longer to recognize. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent makes available an assortment of solutions for securing Cleveland businesses from ransomware penetrations. Among these are team member education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat defense to identify and suppress day-zero malware attacks. Progent in addition offers the assistance of experienced ransomware recovery engineers with the track record and commitment to restore a compromised network as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The other path is to setup from scratch the mission-critical components of your IT environment. Absent the availability of complete data backups, this calls for a broad complement of skills, well-coordinated project management, and the capability to work 24x7 until the task is complete.
For two decades, Progent has made available expert Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience gives Progent the ability to efficiently determine important systems and integrate the surviving components of your computer network environment following a ransomware penetration and assemble them into a functioning network.
Progent's recovery group has best of breed project management systems to orchestrate the complicated recovery process. Progent understands the importance of working swiftly and in concert with a customer's management and IT staff to assign priority to tasks and to put key applications back on line as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Attack Restoration
A client contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored hackers, possibly adopting technology exposed from the U.S. NSA organization. Ryuk seeks specific businesses with limited room for disruption and is one of the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with about 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I cannot say enough in regards to the care Progent gave us throughout the most critical period of (our) company's survival. We had little choice but to pay the cyber criminals except for the confidence the Progent experts gave us. The fact that you could get our e-mail system and important applications back online faster than 1 week was beyond my wildest dreams. Every single person I talked with or messaged at Progent was hell bent on getting us working again and was working breakneck pace on our behalf."
Progent worked hand in hand the client to quickly get our arms around and assign priority to the key elements that needed to be addressed in order to restart company operations:
To start, Progent followed Anti-virus incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then started the steps of restoring Microsoft AD, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not function without Active Directory, and the client's financials and MRP software utilized Microsoft SQL, which requires Active Directory services for access to the databases.
- Microsoft Active Directory
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with rebuilding and storage recovery of essential systems. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect intact OST data files (Outlook Offline Folder Files) on various workstations and laptops to recover email data. A not too old off-line backup of the customer's accounting systems made them able to return these essential services back servicing users. Although a lot of work still had to be done to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we did not miss any customer shipments."
Over the next month important milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were fully functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user workstations were being used by staff.
"A huge amount of what transpired in the initial days is mostly a haze for me, but my team will not forget the commitment each of the team put in to give us our company back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This event was a Herculean accomplishment."
A probable business-killing disaster was evaded by hard-working professionals, a wide range of subject matter expertise, and close teamwork. Although in post mortem the ransomware penetration detailed here would have been blocked with current security solutions and ISO/IEC 27001 best practices, team education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for allowing me to get some sleep after we got past the initial push. All of you did an impressive effort, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Cleveland
For ransomware recovery expertise in the Cleveland metro area, call Progent at 800-462-8800 or go to Contact Progent.