Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses poorly prepared for an attack. Versions of ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, as well as more unnamed malware, not only encrypt on-line files but also infiltrate most accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can render automatic recovery useless and effectively knocks the datacenter back to zero.
Retrieving services and data following a crypto-ransomware attack becomes a race against the clock as the targeted organization struggles to contain and cleanup the ransomware and to restore business-critical operations. Since crypto-ransomware needs time to spread, penetrations are often launched on weekends and holidays, when successful attacks tend to take more time to discover. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.
Progent offers an assortment of solutions for protecting Chandler enterprises from ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with machine learning capabilities to rapidly detect and extinguish day-zero cyber attacks. Progent also offers the assistance of veteran crypto-ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decipher all your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to setup from scratch the vital parts of your Information Technology environment. Absent access to full data backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work continuously until the recovery project is completed.
For two decades, Progent has provided certified expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the capability to efficiently ascertain critical systems and re-organize the surviving pieces of your IT environment after a ransomware attack and rebuild them into a functioning network.
Progent's security group deploys best of breed project management systems to orchestrate the complicated recovery process. Progent knows the importance of working quickly and together with a client's management and IT resources to prioritize tasks and to get key systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Incident Restoration
A customer hired Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, possibly using approaches leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little tolerance for disruption and is among the most lucrative iterations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has about 500 workers. The Ryuk attack had frozen all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít tell you enough in regards to the help Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the Hackers except for the confidence the Progent team afforded us. The fact that you could get our e-mail and critical servers back on-line quicker than a week was earth shattering. Every single consultant I interacted with or messaged at Progent was hell bent on getting us operational and was working breakneck pace on our behalf."
Progent worked with the customer to rapidly assess and assign priority to the most important systems that had to be restored to make it possible to continue company functions:
To get going, Progent followed ransomware event mitigation industry best practices by halting lateral movement and removing active viruses. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the businessesí MRP system leveraged Microsoft SQL, which depends on Active Directory services for authentication to the databases.
- Windows Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then accomplished rebuilding and storage recovery of needed systems. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to locate local OST files (Outlook Email Offline Data Files) on user PCs and laptops to recover email messages. A recent offline backup of the customerís financials/ERP systems made them able to restore these essential programs back servicing users. Although major work remained to recover completely from the Ryuk virus, core systems were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we made all customer shipments."
During the next couple of weeks critical milestones in the recovery process were completed through tight collaboration between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over four million archived emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully functional.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the user desktops were back into operation.
"A lot of what happened that first week is mostly a fog for me, but my management will not forget the urgency each and every one of you put in to give us our business back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A possible business-ending catastrophe was evaded with top-tier professionals, a wide range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus attack described here could have been shut down with advanced security systems and recognized best practices, team training, and well designed incident response procedures for backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has proven experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for letting me get rested after we made it through the most critical parts. Everyone did an fabulous job, and if any of your team is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist