Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and still inflict harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as daily as yet unnamed newcomers, not only do encryption of online files but also infiltrate all available system restores and backups. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can make automatic restoration impossible and effectively sets the network back to square one.
Getting back on-line applications and data after a crypto-ransomware outage becomes a sprint against time as the targeted business struggles to contain the damage and clear the virus and to restore enterprise-critical activity. Since crypto-ransomware requires time to spread, assaults are frequently launched on weekends and holidays, when successful penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.
Progent makes available an assortment of services for protecting Virginia Beach organizations from ransomware events. Among these are team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with AI capabilities to quickly identify and suppress day-zero threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to re-deploy a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the keys to decrypt any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to re-install the vital elements of your IT environment. Without the availability of full data backups, this requires a wide complement of skills, professional project management, and the willingness to work non-stop until the job is over.
For decades, Progent has provided professional Information Technology services for companies across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the ability to quickly determine important systems and consolidate the surviving parts of your computer network system after a ransomware penetration and assemble them into a functioning network.
Progent's recovery group deploys top notch project management tools to orchestrate the complicated restoration process. Progent appreciates the urgency of acting rapidly and together with a customerís management and IT team members to assign priority to tasks and to put essential services back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A customer escalated to Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored cybercriminals, suspected of using algorithms exposed from Americaís NSA organization. Ryuk targets specific businesses with limited room for operational disruption and is one of the most profitable incarnations of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk attack had frozen all business operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I cannot tell you enough about the help Progent gave us during the most stressful period of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and production servers back on-line faster than one week was something I thought impossible. Each expert I spoke to or e-mailed at Progent was urgently focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly identify and prioritize the critical services that had to be recovered to make it possible to restart company functions:
To begin, Progent followed ransomware event mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the customerís MRP system used SQL Server, which requires Windows AD for authentication to the databases.
- Windows Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then assisted with rebuilding and storage recovery of mission critical systems. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover email data. A recent offline backup of the businesses accounting/ERP software made them able to return these vital applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk damage, essential services were returned to operations rapidly:
"For the most part, the assembly line operation was never shut down and we produced all customer shipments."
Throughout the following few weeks key milestones in the restoration process were made in close collaboration between Progent consultants and the customer:
- Internal web sites were brought back up with no loss of data.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent restored.
- A new Palo Alto 850 firewall was deployed.
- Most of the user desktops were fully operational.
"Much of what was accomplished that first week is mostly a blur for me, but my team will not soon forget the dedication all of your team put in to help get our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."
A likely business-ending disaster was dodged with top-tier experts, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware virus attack described here should have been identified and blocked with advanced cyber security technology and recognized best practices, staff training, and properly executed incident response procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, remember that Progent's team of experts has substantial experience in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get rested after we got over the initial push. All of you did an incredible job, and if any of your team is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Virginia Beach
For ransomware system recovery consulting in the Virginia Beach metro area, phone Progent at 800-462-8800 or visit Contact Progent.