Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses unprepared for an assault. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, along with frequent unnamed newcomers, not only do encryption of on-line data files but also infect any configured system restores and backups. Data synchronized to the cloud can also be rendered useless. In a vulnerable environment, this can make any recovery impossible and effectively knocks the datacenter back to square one.
Restoring services and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization fights to stop lateral movement and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, penetrations are frequently launched during nights and weekends, when attacks typically take more time to uncover. This compounds the difficulty of quickly mobilizing and orchestrating a capable response team.
Progent makes available a variety of services for protecting Orlando businesses from ransomware events. Among these are staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with machine learning technology to quickly detect and extinguish day-zero cyber attacks. Progent in addition provides the assistance of expert ransomware recovery consultants with the track record and commitment to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the codes to decipher any of your data. Kaspersky estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the vital parts of your IT environment. Absent access to complete information backups, this requires a wide complement of IT skills, top notch project management, and the ability to work non-stop until the task is finished.
For two decades, Progent has offered professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably identify necessary systems and re-organize the remaining parts of your Information Technology environment after a ransomware penetration and rebuild them into a functioning system.
Progent's ransomware group utilizes powerful project management applications to coordinate the sophisticated restoration process. Progent understands the urgency of acting rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to get essential applications back on-line as soon as humanly possible.
Case Study: A Successful Ransomware Intrusion Restoration
A business escalated to Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, suspected of adopting approaches leaked from Americaís National Security Agency. Ryuk seeks specific companies with limited tolerance for disruption and is one of the most lucrative versions of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with around 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately reached out to Progent.
"I canít say enough in regards to the care Progent gave us throughout the most stressful time of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and key servers back on-line in less than seven days was something I thought impossible. Each person I interacted with or e-mailed at Progent was hell bent on getting our company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly get our arms around and assign priority to the most important services that needed to be addressed in order to resume departmental operations:
To get going, Progent adhered to ransomware event mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then began the work of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the businessesí financials and MRP software used Microsoft SQL Server, which requires Windows AD for access to the data.
- Active Directory
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery of the most important servers. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops to recover mail information. A recent off-line backup of the client's accounting systems made it possible to recover these required services back servicing users. Although a large amount of work was left to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer orders."
During the following month important milestones in the recovery process were made through close cooperation between Progent team members and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory Control functions were completely functional.
- A new Palo Alto Networks 850 security appliance was installed.
- 90% of the user workstations were back into operation.
"A lot of what happened those first few days is nearly entirely a haze for me, but I will not soon forget the care each of you accomplished to help get our company back. I have utilized Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This situation was a testament to your capabilities."
A possible business catastrophe was avoided with top-tier professionals, a wide range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware incident detailed here could have been shut down with advanced cyber security technology solutions and security best practices, staff education, and appropriate security procedures for data protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we got past the first week. All of you did an impressive effort, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist