Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that presents an existential danger for organizations unprepared for an attack. Different iterations of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily as yet unnamed viruses, not only encrypt online information but also infiltrate most available system backups. Files replicated to the cloud can also be rendered useless. In a vulnerable system, this can render automatic restoration hopeless and effectively sets the datacenter back to zero.
Getting back online applications and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted business struggles to contain and eradicate the ransomware and to restore business-critical operations. Because ransomware needs time to replicate, assaults are frequently launched on weekends, when attacks are likely to take more time to notice. This compounds the difficulty of promptly marshalling and coordinating a qualified response team.
Progent offers a range of solutions for protecting Montgomery enterprises from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat defense to identify and disable zero-day modern malware attacks. Progent in addition provides the services of expert crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to unencrypt any of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The alternative is to re-install the key elements of your IT environment. Absent the availability of essential data backups, this requires a wide range of skill sets, top notch team management, and the willingness to work 24x7 until the task is finished.
For twenty years, Progent has made available expert Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise gives Progent the ability to efficiently ascertain necessary systems and consolidate the remaining pieces of your IT environment following a ransomware penetration and rebuild them into an operational network.
Progent's recovery group uses state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent understands the importance of acting swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to get essential systems back on line as fast as humanly possible.
Customer Story: A Successful Ransomware Intrusion Restoration
A customer contacted Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of using approaches exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no ability to sustain operational disruption and is among the most lucrative examples of ransomware viruses. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.
"I cannot thank you enough about the support Progent provided us throughout the most critical period of (our) businesses life. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts gave us. That you could get our e-mail system and critical servers back quicker than seven days was incredible. Every single person I talked with or messaged at Progent was urgently focused on getting my company operational and was working day and night to bail us out."
Progent worked hand in hand the client to rapidly determine and assign priority to the mission critical areas that needed to be restored in order to restart business operations:
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the process of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the businesses' MRP system used Microsoft SQL, which requires Windows AD for authentication to the information.
- Active Directory (AD)
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery of needed servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff workstations in order to recover mail information. A recent offline backup of the client's accounting/MRP software made it possible to recover these vital applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk event, core services were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we produced all customer orders."
During the next month important milestones in the restoration project were completed through close collaboration between Progent engineers and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100% functional.
- A new Palo Alto Networks 850 firewall was set up.
- 90% of the user desktops were functioning as before the incident.
"A huge amount of what transpired during the initial response is nearly entirely a haze for me, but my management will not forget the care each and every one of the team accomplished to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was the most impressive ever."
A probable business-killing catastrophe was evaded by results-oriented experts, a wide range of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here could have been identified and disabled with up-to-date security technology and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for information protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I'm grateful for allowing me to get some sleep after we got through the most critical parts. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Montgomery
For ransomware system recovery consulting in the Montgomery metro area, phone Progent at 800-462-8800 or go to Contact Progent.