Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyberplague that presents an enterprise-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus more as yet unnamed newcomers, not only do encryption of online critical data but also infiltrate most configured system restores and backups. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, this can make any restore operations useless and basically sets the network back to zero.
Recovering programs and information following a ransomware attack becomes a race against the clock as the victim fights to contain the damage and clear the virus and to resume enterprise-critical operations. Because ransomware needs time to replicate, assaults are usually launched on weekends, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.
Progent has an assortment of solutions for protecting Porto Alegre enterprises from ransomware attacks. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security solutions with AI capabilities to quickly discover and suppress new threats. Progent in addition provides the assistance of veteran ransomware recovery engineers with the talent and commitment to rebuild a compromised system as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The alternative is to setup from scratch the key elements of your IT environment. Absent the availability of essential data backups, this calls for a wide range of IT skills, well-coordinated team management, and the capability to work continuously until the task is complete.
For two decades, Progent has provided expert Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly determine important systems and organize the surviving components of your network system following a crypto-ransomware event and assemble them into a functioning system.
Progent's recovery group deploys best of breed project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of acting rapidly and in concert with a customer's management and IT resources to prioritize tasks and to get critical services back on line as soon as humanly possible.
Client Story: A Successful Ransomware Penetration Recovery
A small business contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state cybercriminals, possibly using approaches exposed from the United States NSA organization. Ryuk attacks specific businesses with limited tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.
"I cannot say enough in regards to the help Progent gave us throughout the most critical period of (our) company's survival. We may have had to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent experts provided us. That you could get our e-mail system and important applications back online sooner than a week was beyond my wildest dreams. Each expert I got help from or communicated with at Progent was absolutely committed on getting our system up and was working all day and night on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the key services that had to be addressed to make it possible to continue company functions:
To start, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then began the steps of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP applications used Microsoft SQL, which depends on Windows AD for access to the databases.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on essential systems. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover email messages. A not too old off-line backup of the businesses financials/MRP software made it possible to recover these essential applications back on-line. Although a lot of work still had to be done to recover fully from the Ryuk virus, core systems were returned to operations rapidly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."
Throughout the next month important milestones in the restoration process were made through close collaboration between Progent team members and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Server with over 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were fully recovered.
- A new Palo Alto 850 firewall was deployed.
- Most of the user PCs were being used by staff.
"Much of what transpired in the initial days is mostly a blur for me, but our team will not forget the dedication all of the team accomplished to help get our business back. I've utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This event was a testament to your capabilities."
A possible company-ending catastrophe was avoided by dedicated experts, a broad range of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here could have been stopped with advanced security solutions and ISO/IEC 27001 best practices, staff education, and properly executed security procedures for information backup and applying software patches, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for letting me get rested after we made it over the initial fire. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Porto Alegre
For ransomware system recovery expertise in the Porto Alegre area, call Progent at 800-462-8800 or visit Contact Progent.