Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses vulnerable to an attack. Different versions of ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as frequent unnamed viruses, not only do encryption of online critical data but also infiltrate any configured system backup. Information replicated to cloud environments can also be rendered useless. In a poorly architected system, this can render automated restore operations useless and basically sets the datacenter back to square one.
Restoring applications and data after a crypto-ransomware attack becomes a race against time as the targeted organization struggles to contain and cleanup the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to spread, penetrations are frequently launched on weekends, when successful attacks typically take longer to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.
Progent offers an assortment of help services for protecting Albuquerque enterprises from ransomware attacks. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat defense to detect and quarantine zero-day malware assaults. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the talent and commitment to rebuild a compromised system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to decipher any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The other path is to re-install the key parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of skill sets, top notch team management, and the capability to work non-stop until the recovery project is finished.
For two decades, Progent has offered certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to rapidly understand necessary systems and consolidate the remaining parts of your IT system following a crypto-ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts uses top notch project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology staff to prioritize tasks and to get key systems back on-line as fast as possible.
Customer Story: A Successful Ransomware Virus Restoration
A client sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly adopting strategies leaked from America's NSA organization. Ryuk attacks specific companies with little or no tolerance for operational disruption and is among the most profitable incarnations of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for good luck, but ultimately engaged Progent.
"I cannot tell you enough about the expertise Progent gave us throughout the most stressful period of (our) company's life. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key applications back on-line in less than five days was amazing. Each expert I worked with or messaged at Progent was hell bent on getting us working again and was working breakneck pace on our behalf."
Progent worked with the client to quickly get our arms around and prioritize the critical elements that had to be recovered to make it possible to continue business functions:
To begin, Progent followed ransomware event mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Windows AD, and the businesses' accounting and MRP applications used SQL Server, which needs Active Directory for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange
- MRP System
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery on key systems. All Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on user workstations in order to recover mail data. A not too old off-line backup of the customer's financials/MRP software made it possible to recover these essential applications back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk event, core services were restored quickly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer shipments."
During the following few weeks key milestones in the restoration project were accomplished in close cooperation between Progent team members and the customer:
- In-house web sites were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was spun up and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory Control functions were completely restored.
- A new Palo Alto Networks 850 security appliance was installed.
- Nearly all of the desktops and laptops were back into operation.
"Much of what went on in the early hours is mostly a fog for me, but I will not soon forget the care all of you put in to give us our company back. I've utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a life saver."
A potential business-killing catastrophe was dodged with hard-working experts, a broad range of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware penetration described here would have been prevented with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out security procedures for data protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I'm grateful for making it so I could get rested after we made it past the first week. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Albuquerque
For ransomware system restoration consulting in the Albuquerque metro area, phone Progent at 800-462-8800 or visit Contact Progent.