Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily as yet unnamed viruses, not only encrypt on-line information but also infiltrate most accessible system restores and backups. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can make automated restoration hopeless and effectively knocks the datacenter back to zero.
Restoring applications and data after a ransomware event becomes a race against the clock as the victim struggles to contain and cleanup the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, attacks are often launched during nights and weekends, when penetrations are likely to take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.
Progent has a range of support services for protecting Porto Alegre organizations from crypto-ransomware attacks. These include user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to identify and suppress day-zero malware assaults. Progent in addition offers the services of experienced crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a breached network as soon as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom in cryptocurrency does not guarantee that cyber criminals will return the codes to decipher any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The fallback is to re-install the key parts of your IT environment. Without access to complete system backups, this calls for a wide complement of skills, professional team management, and the ability to work continuously until the recovery project is over.
For twenty years, Progent has made available certified expert Information Technology services for companies across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise provides Progent the skills to knowledgably ascertain necessary systems and organize the surviving components of your Information Technology system following a ransomware penetration and assemble them into an operational system.
Progent's ransomware group utilizes top notch project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of acting swiftly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to get the most important applications back on line as soon as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A business contacted Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly using strategies leaked from the United States NSA organization. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most profitable examples of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been online at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough in regards to the support Progent provided us during the most fearful period of (our) company's survival. We most likely would have paid the criminal gangs except for the confidence the Progent group gave us. That you were able to get our messaging and essential applications back quicker than one week was incredible. Every single expert I talked with or e-mailed at Progent was amazingly focused on getting our system up and was working day and night to bail us out."
Progent worked together with the customer to rapidly understand and prioritize the critical applications that needed to be restored to make it possible to continue departmental functions:
To get going, Progent followed Anti-virus penetration response best practices by stopping the spread and disinfecting systems. Progent then initiated the work of restoring Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the customer's accounting and MRP system utilized Microsoft SQL, which requires Active Directory services for security authorization to the database.
- Windows Active Directory
- Electronic Mail
Within two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with reinstallations and storage recovery on the most important servers. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Off-Line Folder Files) on user workstations in order to recover email information. A recent off-line backup of the customer's accounting systems made them able to return these required programs back online for users. Although a large amount of work was left to recover completely from the Ryuk attack, critical services were restored quickly:
"For the most part, the production operation never missed a beat and we did not miss any customer sales."
During the following couple of weeks key milestones in the recovery project were accomplished through close cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were fully restored.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user workstations were fully operational.
"A huge amount of what transpired during the initial response is mostly a haze for me, but we will not soon forget the countless hours each and every one of the team put in to help get our business back. I have been working with Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was the most impressive ever."
A probable business-ending disaster was dodged through the efforts of dedicated experts, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware incident described here could have been prevented with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for information protection and applying software patches, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we got over the most critical parts. All of you did an impressive effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Porto Alegre
For ransomware system recovery services in the Porto Alegre area, phone Progent at 800-462-8800 or see Contact Progent.