Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an existential threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as more as yet unnamed viruses, not only do encryption of on-line data files but also infect all configured system protection mechanisms. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can render automated restore operations hopeless and effectively sets the entire system back to square one.
Getting back on-line services and data after a ransomware outage becomes a race against time as the victim tries its best to contain the damage and clear the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware takes time to move laterally, attacks are often launched on weekends, when attacks may take longer to discover. This compounds the difficulty of rapidly marshalling and organizing a capable mitigation team.
Progent provides a variety of help services for securing Montgomery organizations from ransomware attacks. Among these are team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with AI technology to rapidly discover and suppress zero-day cyber attacks. Progent also can provide the assistance of expert ransomware recovery consultants with the track record and perseverance to re-deploy a compromised network as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will respond with the keys to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the essential parts of your IT environment. Without access to essential information backups, this calls for a broad complement of skills, professional team management, and the willingness to work non-stop until the recovery project is completed.
For two decades, Progent has made available professional Information Technology services for businesses across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the skills to rapidly determine critical systems and re-organize the surviving components of your computer network environment following a ransomware penetration and configure them into a functioning network.
Progent's ransomware group deploys state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT staff to prioritize tasks and to get critical services back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A customer escalated to Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, possibly adopting technology leaked from the United States National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and praying for good luck, but in the end brought in Progent.
"I canít tell you enough about the help Progent provided us throughout the most fearful period of (our) companyís existence. We may have had to pay the hackers behind this attack except for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and essential servers back on-line faster than five days was earth shattering. Each staff member I got help from or messaged at Progent was amazingly focused on getting our system up and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and prioritize the key systems that had to be recovered to make it possible to resume business operations:
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and clearing up compromised systems. Progent then initiated the work of bringing back online Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the client's financials and MRP software used Microsoft SQL, which depends on Windows AD for authentication to the data.
- Microsoft Active Directory
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of key applications. All Microsoft Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on user desktop computers and laptops to recover mail data. A not too old off-line backup of the businesses accounting/MRP software made them able to return these essential applications back servicing users. Although a large amount of work was left to recover completely from the Ryuk virus, the most important services were returned to operations rapidly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer shipments."
Over the next month important milestones in the restoration project were completed in tight collaboration between Progent engineers and the customer:
- Internal web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were completely recovered.
- A new Palo Alto 850 security appliance was set up and programmed.
- Nearly all of the user desktops were functioning as before the incident.
"Much of what transpired those first few days is mostly a blur for me, but my management will not forget the commitment each and every one of your team accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was the most impressive ever."
A likely business-ending disaster was dodged by dedicated experts, a broad range of IT skills, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware incident described here would have been identified and stopped with modern cyber security technology solutions and recognized best practices, user education, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we got through the most critical parts. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist