Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an existential danger for businesses poorly prepared for an attack. Different versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with daily as yet unnamed malware, not only encrypt on-line data but also infect any available system protection mechanisms. Files replicated to the cloud can also be encrypted. In a vulnerable system, this can make automated restoration useless and effectively sets the entire system back to zero.
Getting back on-line programs and information following a ransomware attack becomes a sprint against the clock as the targeted organization fights to contain and cleanup the ransomware and to restore enterprise-critical operations. Because ransomware needs time to move laterally, attacks are usually sprung during weekends and nights, when successful penetrations tend to take longer to recognize. This compounds the difficulty of rapidly assembling and coordinating a qualified mitigation team.
Progent provides a variety of help services for securing Springfield organizations from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat protection to detect and quarantine day-zero modern malware attacks. Progent in addition can provide the services of seasoned ransomware recovery engineers with the track record and commitment to re-deploy a compromised system as soon as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the needed codes to unencrypt all your files. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to piece back together the vital components of your IT environment. Absent the availability of full system backups, this requires a wide range of skill sets, professional team management, and the capability to work non-stop until the recovery project is done.
For decades, Progent has offered certified expert Information Technology services for companies throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain critical systems and re-organize the surviving parts of your computer network system following a ransomware penetration and rebuild them into an operational system.
Progent's ransomware team of experts has best of breed project management systems to coordinate the complicated restoration process. Progent knows the importance of working rapidly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to put the most important systems back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Response
A client hired Progent after their organization was attacked by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly adopting strategies exposed from the United States NSA organization. Ryuk seeks specific businesses with limited ability to sustain disruption and is one of the most lucrative iterations of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but in the end reached out to Progent.
"I cannot thank you enough in regards to the help Progent provided us throughout the most fearful time of (our) company's existence. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you could get our e-mail and important servers back into operation faster than one week was amazing. Every single person I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working non-stop on our behalf."
Progent worked hand in hand the customer to quickly understand and prioritize the most important systems that had to be restored to make it possible to continue company functions:
To get going, Progent adhered to Anti-virus penetration response best practices by stopping the spread and clearing infected systems. Progent then began the work of restoring Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's accounting and MRP software utilized Microsoft SQL Server, which depends on Windows AD for authentication to the databases.
- Active Directory
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery on essential servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Data Files) on staff workstations to recover mail information. A not too old offline backup of the businesses accounting/MRP software made it possible to return these essential programs back on-line. Although major work was left to recover completely from the Ryuk attack, the most important services were returned to operations quickly:
"For the most part, the production line operation showed little impact and we delivered all customer sales."
Over the following few weeks important milestones in the recovery process were achieved in close cooperation between Progent team members and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were completely operational.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what went on during the initial response is nearly entirely a blur for me, but our team will not forget the urgency each of you accomplished to help get our business back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a life saver."
A possible business-ending catastrophe was averted with results-oriented professionals, a wide array of knowledge, and close collaboration. Although upon completion of forensics the ransomware incident detailed here would have been identified and prevented with up-to-date security technology and ISO/IEC 27001 best practices, user training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got through the most critical parts. Everyone did an amazing job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Springfield
For ransomware cleanup expertise in the Springfield area, phone Progent at 800-462-8800 or see Contact Progent.