Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations vulnerable to an assault. Versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with frequent unnamed newcomers, not only encrypt on-line information but also infect many configured system protection. Files synched to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automatic restore operations impossible and effectively knocks the datacenter back to zero.
Retrieving programs and data after a crypto-ransomware attack becomes a sprint against the clock as the targeted business struggles to stop lateral movement and remove the ransomware and to restore mission-critical activity. Because crypto-ransomware requires time to move laterally, penetrations are frequently launched on weekends and holidays, when penetrations in many cases take longer to discover. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent provides an assortment of support services for securing Corpus Christi organizations from ransomware penetrations. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with artificial intelligence technology to intelligently detect and extinguish new cyber attacks. Progent also provides the services of seasoned ransomware recovery consultants with the talent and commitment to rebuild a breached network as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decrypt any or all of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Absent the availability of essential data backups, this requires a broad complement of skill sets, top notch project management, and the willingness to work 24x7 until the job is done.
For decades, Progent has provided expert Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the capability to efficiently ascertain necessary systems and consolidate the surviving components of your IT system following a ransomware penetration and configure them into an operational system.
Progent's ransomware group deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to put critical applications back on-line as soon as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Attack Restoration
A business hired Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is one of the most profitable incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end called Progent.
"I cannot tell you enough about the support Progent gave us during the most fearful period of (our) companyís life. We would have paid the cybercriminals if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important applications back online sooner than five days was earth shattering. Every single consultant I talked with or messaged at Progent was absolutely committed on getting our company operational and was working 24/7 on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the essential systems that needed to be restored in order to restart departmental operations:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and performing virus removal steps. Progent then began the task of recovering Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the customerís MRP system utilized Microsoft SQL Server, which needs Windows AD for security authorization to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then completed setup and storage recovery on key systems. All Exchange ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Data Files) on staff workstations to recover email information. A not too old offline backup of the customerís accounting/MRP systems made them able to return these essential services back online. Although a large amount of work still had to be done to recover fully from the Ryuk event, the most important systems were recovered quickly:
"For the most part, the manufacturing operation was never shut down and we made all customer orders."
During the next few weeks important milestones in the restoration process were made through tight collaboration between Progent engineers and the client:
- Internal web sites were returned to operation without losing any information.
- The MailStore Exchange Server exceeding 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the user desktops and notebooks were operational.
"So much of what was accomplished during the initial response is nearly entirely a blur for me, but my management will not soon forget the care each and every one of your team put in to give us our business back. I have utilized Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A potential business-ending disaster was averted by dedicated professionals, a wide range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident described here would have been identified and prevented with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well thought out security procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get some sleep after we made it over the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist