Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus daily as yet unnamed malware, not only do encryption of online information but also infiltrate any available system protection. Data synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, it can render any restore operations useless and basically sets the datacenter back to zero.
Getting back online programs and information following a crypto-ransomware outage becomes a race against the clock as the targeted business fights to stop lateral movement and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are often launched during nights and weekends, when attacks in many cases take longer to discover. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.
Progent has a variety of services for securing San Juan organizations from crypto-ransomware events. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with AI capabilities to rapidly detect and suppress day-zero threats. Progent also offers the assistance of veteran crypto-ransomware recovery engineers with the track record and perseverance to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to decipher all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to piece back together the essential components of your IT environment. Without the availability of essential system backups, this requires a wide complement of IT skills, top notch project management, and the ability to work 24x7 until the task is done.
For two decades, Progent has offered certified expert IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the skills to rapidly determine necessary systems and organize the remaining parts of your computer network environment after a ransomware event and rebuild them into a functioning system.
Progent's security team uses state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent knows the importance of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to get key services back on line as soon as possible.
Customer Story: A Successful Ransomware Penetration Restoration
A customer escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with little or no room for disruption and is one of the most lucrative instances of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.
"I cannot thank you enough about the expertise Progent gave us throughout the most critical time of (our) businesses existence. We had little choice but to pay the cybercriminals except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and essential applications back on-line in less than five days was earth shattering. Each expert I worked with or communicated with at Progent was totally committed on getting us back online and was working at all hours to bail us out."
Progent worked together with the customer to rapidly identify and assign priority to the essential areas that had to be recovered in order to continue company operations:
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping the spread and disinfecting systems. Progent then initiated the task of rebuilding Active Directory, the heart of enterprise networks built on Microsoft technology. Exchange email will not function without Windows AD, and the client's financials and MRP software leveraged SQL Server, which depends on Active Directory for security authorization to the database.
- Microsoft Active Directory
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery of critical applications. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on various PCs in order to recover mail information. A recent off-line backup of the customerís financials/ERP systems made it possible to recover these essential applications back servicing users. Although a large amount of work remained to recover completely from the Ryuk attack, essential services were restored rapidly:
"For the most part, the production line operation was never shut down and we made all customer shipments."
Throughout the next few weeks critical milestones in the restoration project were completed through tight cooperation between Progent engineers and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user workstations were being used by staff.
"Much of what went on those first few days is mostly a haze for me, but my management will not soon forget the urgency each and every one of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."
A potential business-killing catastrophe was avoided by dedicated experts, a broad range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration described here should have been prevented with up-to-date security systems and security best practices, user and IT administrator training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for making it so I could get some sleep after we got past the initial push. Everyone did an amazing job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist