Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Versions of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus more unnamed viruses, not only encrypt online information but also infiltrate most available system backup. Files synched to cloud environments can also be rendered useless. In a poorly architected environment, it can make automated restore operations hopeless and effectively knocks the entire system back to zero.
Getting back programs and information after a ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and remove the virus and to resume mission-critical operations. Since ransomware requires time to replicate, attacks are usually sprung during weekends and nights, when attacks may take more time to recognize. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable response team.
Progent provides a variety of support services for protecting Hartford businesses from ransomware events. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security gateways with machine learning technology to quickly detect and quarantine zero-day cyber threats. Progent also provides the assistance of veteran crypto-ransomware recovery professionals with the talent and commitment to restore a breached network as soon as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the codes to decipher any of your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to piece back together the critical components of your Information Technology environment. Absent access to complete data backups, this calls for a wide range of IT skills, top notch team management, and the ability to work non-stop until the task is completed.
For two decades, Progent has provided expert Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience gives Progent the skills to knowledgably ascertain important systems and consolidate the remaining pieces of your computer network system following a ransomware event and configure them into a functioning network.
Progent's security group uses top notch project management applications to coordinate the complex recovery process. Progent appreciates the importance of acting swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to get essential systems back on line as fast as possible.
Customer Story: A Successful Crypto-Ransomware Virus Response
A customer hired Progent after their organization was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state criminal gangs, possibly adopting algorithms exposed from the United States NSA organization. Ryuk goes after specific companies with little room for operational disruption and is one of the most lucrative incarnations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area with about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.
"I cannot thank you enough about the help Progent gave us throughout the most fearful time of (our) businesses existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group gave us. The fact that you could get our messaging and key applications back online quicker than 1 week was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was amazingly focused on getting us back on-line and was working 24/7 on our behalf."
Progent worked together with the client to rapidly get our arms around and prioritize the most important services that needed to be restored to make it possible to continue business functions:
To begin, Progent adhered to ransomware event mitigation industry best practices by isolating and disinfecting systems. Progent then started the work of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businessesí financials and MRP software leveraged Microsoft SQL Server, which depends on Windows AD for access to the information.
- Windows Active Directory
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished reinstallations and hard drive recovery of critical servers. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on user PCs to recover mail data. A not too old offline backup of the client's financials/ERP software made them able to recover these required applications back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, critical systems were recovered rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer sales."
Over the following few weeks critical milestones in the restoration project were achieved through close collaboration between Progent engineers and the customer:
- Internal web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million archived emails was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the desktop computers were being used by staff.
"A huge amount of what transpired in the early hours is mostly a haze for me, but I will not forget the care each of the team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."
A likely enterprise-killing disaster was evaded with dedicated professionals, a wide range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration described here could have been disabled with advanced security technology solutions and recognized best practices, staff education, and properly executed incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for making it so I could get rested after we got over the most critical parts. Everyone did an fabulous job, and if anyone is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist