Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses unprepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as frequent as yet unnamed malware, not only do encryption of on-line files but also infiltrate most available system protection. Data synched to the cloud can also be encrypted. In a poorly designed environment, this can render automatic restoration useless and effectively sets the datacenter back to zero.
Recovering services and information after a crypto-ransomware event becomes a race against time as the victim fights to contain the damage and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, attacks are frequently launched during weekends and nights, when penetrations typically take more time to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable mitigation team.
Progent offers a range of help services for protecting Orlando organizations from crypto-ransomware events. Among these are team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning capabilities to automatically discover and extinguish day-zero threats. Progent also can provide the services of expert ransomware recovery professionals with the talent and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The fallback is to re-install the essential components of your IT environment. Without the availability of complete data backups, this requires a broad range of skill sets, top notch team management, and the willingness to work continuously until the recovery project is complete.
For twenty years, Progent has made available professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise provides Progent the ability to quickly identify critical systems and re-organize the surviving pieces of your network environment after a ransomware attack and configure them into an operational system.
Progent's security team of experts uses powerful project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of acting quickly and together with a customerís management and IT team members to assign priority to tasks and to get critical applications back on line as fast as possible.
Business Case Study: A Successful Ransomware Virus Recovery
A small business sought out Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state hackers, suspected of adopting technology exposed from the United States National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is among the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.
"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team gave us. That you could get our e-mail system and important servers back online quicker than a week was earth shattering. Each consultant I got help from or communicated with at Progent was laser focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the critical areas that needed to be restored to make it possible to restart company operations:
To begin, Progent followed ransomware incident response best practices by stopping lateral movement and clearing infected systems. Progent then began the task of bringing back online Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without AD, and the client's MRP applications utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with setup and storage recovery on needed systems. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on team desktop computers in order to recover email information. A not too old offline backup of the client's accounting systems made them able to return these required programs back servicing users. Although a lot of work was left to recover totally from the Ryuk virus, core services were recovered quickly:
"For the most part, the assembly line operation never missed a beat and we produced all customer sales."
Over the next couple of weeks important milestones in the recovery process were completed in close collaboration between Progent engineers and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
- A new Palo Alto 850 security appliance was installed.
- 90% of the user desktops and notebooks were being used by staff.
"Much of what occurred in the initial days is mostly a fog for me, but my team will not soon forget the urgency each and every one of your team accomplished to give us our business back. Iíve been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."
A possible company-ending catastrophe was averted with results-oriented experts, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the ransomware virus incident detailed here could have been identified and disabled with up-to-date cyber security technology solutions and recognized best practices, staff education, and properly executed security procedures for information backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we got past the initial fire. All of you did an impressive effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist