Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with daily as yet unnamed newcomers, not only encrypt on-line data but also infect most configured system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated restoration useless and basically sets the datacenter back to square one.
Getting back programs and data after a crypto-ransomware outage becomes a sprint against the clock as the victim struggles to contain and eradicate the virus and to restore enterprise-critical activity. Because ransomware requires time to move laterally, penetrations are usually sprung on weekends, when penetrations in many cases take more time to discover. This multiplies the difficulty of quickly marshalling and orchestrating an experienced response team.
Progent has a variety of solutions for protecting San Juan businesses from ransomware events. Among these are staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to identify and suppress zero-day malware assaults. Progent also provides the services of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a breached network as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the codes to unencrypt any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to piece back together the mission-critical components of your Information Technology environment. Without access to essential data backups, this calls for a broad range of skill sets, professional team management, and the capability to work 24x7 until the recovery project is complete.
For decades, Progent has offered professional Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise gives Progent the capability to knowledgably ascertain important systems and organize the surviving components of your network system after a ransomware event and configure them into an operational system.
Progent's ransomware group deploys top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in concert with a client's management and IT team members to assign priority to tasks and to put key systems back on-line as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business escalated to Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored hackers, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited tolerance for operational disruption and is one of the most lucrative iterations of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for the best, but in the end engaged Progent.
"I can't thank you enough in regards to the support Progent gave us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent group afforded us. The fact that you could get our messaging and important applications back in less than five days was earth shattering. Each staff member I worked with or communicated with at Progent was laser focused on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked with the customer to quickly identify and prioritize the mission critical services that had to be addressed in order to resume company functions:
To begin, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and disinfecting systems. Progent then began the task of rebuilding Microsoft AD, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's MRP applications leveraged Microsoft SQL, which requires Active Directory services for authentication to the data.
- Windows Active Directory
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then performed reinstallations and storage recovery of the most important applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover email data. A recent offline backup of the customer's financials/ERP systems made it possible to return these vital applications back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk event, essential services were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we produced all customer deliverables."
Throughout the next few weeks important milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million archived emails was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% operational.
- A new Palo Alto 850 security appliance was set up and programmed.
- Nearly all of the user workstations were being used by staff.
"A lot of what transpired in the initial days is nearly entirely a haze for me, but my management will not soon forget the urgency each and every one of the team put in to help get our company back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a stunning achievement."
A probable enterprise-killing catastrophe was averted due to top-tier experts, a wide spectrum of subject matter expertise, and close collaboration. Although in retrospect the crypto-ransomware virus incident described here would have been identified and stopped with current security technology and best practices, user training, and well designed security procedures for information backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we got through the first week. All of you did an amazing job, and if anyone that helped is in the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in San Juan
For ransomware recovery expertise in the San Juan metro area, phone Progent at 800-462-8800 or visit Contact Progent.