Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for organizations poorly prepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and continue to inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus frequent as yet unnamed viruses, not only do encryption of online files but also infiltrate all configured system protection. Information synchronized to the cloud can also be ransomed. In a vulnerable environment, it can render any recovery useless and basically knocks the network back to zero.
Retrieving programs and information after a ransomware intrusion becomes a race against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume mission-critical operations. Because ransomware requires time to move laterally, penetrations are frequently sprung during weekends and nights, when attacks typically take longer to uncover. This multiplies the difficulty of promptly mobilizing and coordinating an experienced response team.
Progent offers a range of services for protecting Albuquerque businesses from ransomware penetrations. These include team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with machine learning technology to automatically discover and quarantine zero-day threats. Progent also offers the assistance of seasoned ransomware recovery professionals with the track record and commitment to rebuild a breached network as urgently as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to setup from scratch the essential components of your IT environment. Without the availability of complete information backups, this calls for a wide range of IT skills, well-coordinated project management, and the capability to work continuously until the task is done.
For decades, Progent has made available professional Information Technology services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience gives Progent the capability to quickly understand critical systems and integrate the surviving pieces of your IT environment following a ransomware penetration and rebuild them into an operational network.
Progent's security team of experts has powerful project management systems to orchestrate the complicated restoration process. Progent knows the urgency of acting quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to put key services back on-line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little ability to sustain operational disruption and is one of the most profitable examples of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk event had disabled all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for the best, but in the end made the decision to use Progent.
"I canít thank you enough in regards to the support Progent provided us throughout the most fearful period of (our) companyís existence. We may have had to pay the criminal gangs except for the confidence the Progent team gave us. That you were able to get our messaging and essential applications back on-line sooner than 1 week was earth shattering. Each staff member I talked with or e-mailed at Progent was urgently focused on getting us operational and was working 24/7 on our behalf."
Progent worked with the customer to quickly assess and prioritize the essential applications that needed to be restored to make it possible to resume departmental functions:
To get going, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then began the work of rebuilding Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not function without Windows AD, and the client's accounting and MRP system used Microsoft SQL, which requires Windows AD for access to the database.
- Microsoft Active Directory
- Microsoft Exchange Server
- MRP System
Within 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on key systems. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops to recover mail data. A recent offline backup of the customerís accounting software made them able to recover these required applications back servicing users. Although major work was left to recover completely from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the production line operation was never shut down and we delivered all customer shipments."
During the following few weeks critical milestones in the restoration process were completed through close cooperation between Progent consultants and the client:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Exchange Server with over four million archived emails was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user PCs were functioning as before the incident.
"Much of what happened in the initial days is nearly entirely a blur for me, but our team will not forget the care each of your team put in to help get our business back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."
A possible business-ending catastrophe was dodged due to results-oriented experts, a broad array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus attack described here would have been shut down with current cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for information backup and applying software patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), Iím grateful for letting me get rested after we got over the first week. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist