Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for organizations vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with daily as yet unnamed newcomers, not only do encryption of on-line data files but also infect all available system protection. Data synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can make any restoration hopeless and effectively sets the datacenter back to zero.
Getting back programs and data following a crypto-ransomware intrusion becomes a sprint against time as the targeted business struggles to contain the damage and eradicate the ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are usually launched on weekends and holidays, when penetrations are likely to take longer to recognize. This compounds the difficulty of promptly marshalling and orchestrating a qualified mitigation team.
Progent offers a range of solutions for protecting Montgomery businesses from ransomware penetrations. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with artificial intelligence capabilities to automatically identify and quarantine day-zero cyber attacks. Progent in addition provides the assistance of veteran ransomware recovery engineers with the talent and perseverance to reconstruct a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the keys to decipher any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the vital components of your IT environment. Absent access to full system backups, this requires a wide range of skills, professional project management, and the ability to work continuously until the task is complete.
For two decades, Progent has offered professional Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience provides Progent the capability to rapidly understand important systems and consolidate the surviving pieces of your computer network environment after a ransomware event and assemble them into a functioning network.
Progent's recovery team uses state-of-the-art project management systems to orchestrate the complex restoration process. Progent knows the importance of working swiftly and together with a client's management and IT staff to assign priority to tasks and to get essential systems back online as soon as possible.
Customer Case Study: A Successful Ransomware Intrusion Recovery
A customer sought out Progent after their company was penetrated by Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, possibly using algorithms leaked from the United States National Security Agency. Ryuk attacks specific companies with limited room for disruption and is one of the most lucrative incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with around 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot thank you enough about the care Progent provided us throughout the most stressful time of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group afforded us. That you were able to get our e-mail and key servers back online sooner than seven days was amazing. Each consultant I spoke to or texted at Progent was laser focused on getting us working again and was working day and night on our behalf."
Progent worked together with the client to rapidly identify and prioritize the key services that needed to be addressed in order to continue departmental functions:
To begin, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customerís accounting and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the databases.
- Active Directory (AD)
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery of essential servers. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Folder Files) on team workstations to recover mail messages. A recent off-line backup of the client's accounting/ERP systems made it possible to recover these essential services back servicing users. Although a large amount of work remained to recover fully from the Ryuk damage, essential systems were returned to operations quickly:
"For the most part, the production operation survived unscathed and we produced all customer orders."
Throughout the following couple of weeks important milestones in the restoration project were completed through close cooperation between Progent team members and the client:
- In-house web applications were restored without losing any data.
- The MailStore Server with over 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the desktop computers were operational.
"So much of what occurred in the early hours is nearly entirely a fog for me, but our team will not soon forget the urgency all of you put in to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was the most impressive ever."
A probable business catastrophe was avoided due to hard-working experts, a broad array of knowledge, and tight collaboration. Although in hindsight the ransomware virus incident detailed here could have been identified and stopped with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, staff education, and appropriate incident response procedures for data protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thank you for making it so I could get some sleep after we got over the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist