Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed malware, not only do encryption of on-line information but also infiltrate many available system backups. Files replicated to the cloud can also be encrypted. In a vulnerable data protection solution, it can make automated recovery useless and basically sets the network back to zero.
Retrieving services and data after a crypto-ransomware outage becomes a race against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to resume mission-critical operations. Since ransomware needs time to move laterally, assaults are frequently launched on weekends and holidays, when penetrations may take more time to uncover. This compounds the difficulty of rapidly assembling and coordinating a capable mitigation team.
Progent has a variety of services for protecting Porto Alegre businesses from crypto-ransomware events. Among these are staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence technology to quickly identify and extinguish day-zero cyber attacks. Progent also offers the services of experienced ransomware recovery engineers with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will return the codes to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The other path is to piece back together the mission-critical elements of your IT environment. Absent the availability of complete data backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work continuously until the recovery project is done.
For decades, Progent has made available expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of experience provides Progent the capability to quickly understand critical systems and integrate the remaining pieces of your IT environment after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's recovery group uses powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to get essential applications back on line as soon as possible.
Client Story: A Successful Ransomware Attack Restoration
A business hired Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk attacks specific organizations with limited ability to sustain disruption and is one of the most profitable iterations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with around 500 workers. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for the best, but in the end engaged Progent.
"I canít say enough about the care Progent provided us during the most stressful time of (our) companyís survival. We may have had to pay the Hackers if not for the confidence the Progent team afforded us. That you could get our e-mail system and important applications back online faster than one week was beyond my wildest dreams. Each consultant I worked with or communicated with at Progent was totally committed on getting my company operational and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to rapidly assess and assign priority to the key systems that had to be addressed in order to restart business operations:
To begin, Progent followed Anti-virus event response industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the task of bringing back online Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customerís MRP software used Microsoft SQL, which requires Active Directory services for security authorization to the databases.
- Windows Active Directory
In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then completed reinstallations and storage recovery on the most important servers. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Offline Folder Files) on various workstations in order to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made it possible to recover these vital services back on-line. Although major work still had to be done to recover totally from the Ryuk virus, core services were recovered rapidly:
"For the most part, the assembly line operation survived unscathed and we produced all customer sales."
Throughout the following couple of weeks critical milestones in the restoration process were accomplished through tight cooperation between Progent consultants and the client:
- In-house web applications were brought back up without losing any data.
- The MailStore Server exceeding 4 million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the user desktops and notebooks were being used by staff.
"A huge amount of what happened during the initial response is mostly a fog for me, but my team will not soon forget the care each of the team put in to give us our business back. I have trusted Progent for the past ten years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a Herculean accomplishment."
A probable business-ending disaster was averted due to results-oriented professionals, a broad range of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been identified and prevented with current cyber security technology solutions and NIST Cybersecurity Framework best practices, team training, and well designed security procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get some sleep after we got through the initial push. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist