Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses poorly prepared for an attack. Different iterations of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict destruction. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with frequent as yet unnamed malware, not only encrypt online data but also infiltrate many available system backups. Information synched to the cloud can also be corrupted. In a poorly architected data protection solution, this can make automated recovery hopeless and basically knocks the datacenter back to zero.
Getting back applications and data following a ransomware intrusion becomes a race against time as the targeted organization struggles to stop the spread and remove the virus and to resume enterprise-critical activity. Since ransomware takes time to replicate, assaults are usually sprung during weekends and nights, when attacks in many cases take longer to discover. This multiplies the difficulty of quickly mobilizing and orchestrating a knowledgeable response team.
Progent has a variety of services for protecting Chandler businesses from ransomware penetrations. Among these are staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat defense to detect and extinguish day-zero modern malware assaults. Progent in addition provides the services of veteran ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as soon as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the critical components of your IT environment. Without the availability of complete data backups, this calls for a wide range of skill sets, top notch team management, and the capability to work non-stop until the task is finished.
For twenty years, Progent has made available professional IT services for companies across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise affords Progent the ability to efficiently ascertain necessary systems and consolidate the remaining pieces of your IT environment following a ransomware attack and configure them into an operational network.
Progent's security team deploys top notch project management systems to coordinate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to get critical applications back online as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Response
A client engaged Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly adopting strategies exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited room for operational disruption and is among the most profitable iterations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I cannot say enough in regards to the expertise Progent gave us during the most critical period of (our) company's existence. We most likely would have paid the criminal gangs except for the confidence the Progent experts afforded us. That you were able to get our e-mail and important servers back on-line sooner than one week was incredible. Every single staff member I talked with or e-mailed at Progent was totally committed on getting us back on-line and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly identify and prioritize the mission critical services that needed to be addressed in order to restart company operations:
To start, Progent adhered to Anti-virus event mitigation industry best practices by halting the spread and removing active viruses. Progent then started the task of recovering Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' MRP system utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.
- Microsoft Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated reinstallations and storage recovery of key applications. All Microsoft Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Offline Data Files) on various PCs and laptops to recover email data. A not too old offline backup of the businesses accounting software made it possible to return these essential services back available to users. Although significant work remained to recover completely from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the production line operation never missed a beat and we delivered all customer orders."
Over the next couple of weeks key milestones in the recovery project were accomplished through tight collaboration between Progent engineers and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Server exceeding four million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the user desktops and notebooks were back into operation.
"Much of what transpired that first week is nearly entirely a blur for me, but we will not forget the urgency each of you accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This situation was a Herculean accomplishment."
A likely business disaster was avoided due to results-oriented experts, a broad array of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here should have been disabled with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we made it over the initial fire. Everyone did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Chandler
For ransomware system restoration services in the Chandler area, phone Progent at 800-462-8800 or visit Contact Progent.