Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses vulnerable to an assault. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as more as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate all configured system protection mechanisms. Data replicated to cloud environments can also be ransomed. In a poorly architected environment, this can make automatic restoration hopeless and effectively knocks the datacenter back to square one.
Getting back on-line services and information after a ransomware event becomes a sprint against the clock as the victim struggles to stop the spread and eradicate the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware requires time to move laterally, assaults are often sprung during weekends and nights, when attacks in many cases take longer to identify. This multiplies the difficulty of promptly assembling and orchestrating a knowledgeable response team.
Progent offers a variety of solutions for protecting Corpus Christi enterprises from crypto-ransomware events. These include team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and quarantine day-zero malware attacks. Progent also offers the services of seasoned ransomware recovery professionals with the track record and perseverance to re-deploy a compromised network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The alternative is to re-install the essential elements of your IT environment. Without access to full system backups, this requires a broad complement of skills, professional team management, and the ability to work continuously until the recovery project is over.
For twenty years, Progent has provided professional IT services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience gives Progent the ability to knowledgably identify critical systems and consolidate the remaining pieces of your IT system after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's ransomware team deploys best of breed project management systems to orchestrate the complicated restoration process. Progent knows the importance of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to get essential services back online as soon as possible.
Business Case Study: A Successful Ransomware Incident Response
A customer hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored hackers, suspected of using approaches exposed from the U.S. NSA organization. Ryuk targets specific companies with little or no ability to sustain operational disruption and is among the most profitable instances of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.
"I cannot thank you enough in regards to the support Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the Hackers if it wasn't for the confidence the Progent experts provided us. That you could get our e-mail and production servers back on-line faster than one week was incredible. Every single staff member I worked with or texted at Progent was totally committed on getting us restored and was working non-stop on our behalf."
Progent worked together with the customer to quickly identify and prioritize the essential elements that needed to be recovered to make it possible to resume company functions:
To get going, Progent followed Anti-virus penetration response best practices by halting the spread and cleaning systems of viruses. Progent then began the work of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customer's accounting and MRP system utilized SQL Server, which needs Windows AD for authentication to the database.
- Active Directory
- Microsoft Exchange Email
Within 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform rebuilding and storage recovery of the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations to recover email information. A recent offline backup of the customer's accounting/ERP systems made it possible to recover these required applications back available to users. Although a lot of work still had to be done to recover completely from the Ryuk event, core systems were restored rapidly:
"For the most part, the assembly line operation showed little impact and we did not miss any customer deliverables."
During the next few weeks important milestones in the restoration project were accomplished in close cooperation between Progent engineers and the client:
- In-house web sites were brought back up without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100% functional.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user workstations were being used by staff.
"So much of what occurred that first week is mostly a blur for me, but our team will not soon forget the commitment each and every one of your team put in to help get our company back. I've been working with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This event was a life saver."
A likely business catastrophe was evaded through the efforts of top-tier professionals, a wide array of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration described here should have been blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we made it through the most critical parts. All of you did an incredible effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Corpus Christi
For ransomware recovery services in the Corpus Christi metro area, call Progent at 800-462-8800 or visit Contact Progent.