Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses unprepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and still inflict destruction. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as more unnamed viruses, not only do encryption of on-line data files but also infiltrate all accessible system protection. Files replicated to cloud environments can also be corrupted. In a poorly architected data protection solution, this can render automated restoration impossible and effectively sets the network back to zero.
Getting back services and data after a ransomware outage becomes a sprint against time as the targeted business struggles to stop the spread and clear the ransomware and to resume business-critical operations. Because ransomware requires time to replicate, attacks are often sprung during weekends and nights, when penetrations may take more time to discover. This compounds the difficulty of promptly marshalling and coordinating a capable mitigation team.
Progent makes available a range of services for securing Midtown Manhattan enterprises from ransomware events. These include team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to identify and quarantine zero-day malware assaults. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will return the needed keys to unencrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The fallback is to re-install the essential parts of your Information Technology environment. Without access to complete information backups, this requires a broad range of skill sets, professional project management, and the willingness to work continuously until the job is finished.
For two decades, Progent has provided professional IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience provides Progent the ability to efficiently identify important systems and integrate the surviving components of your network environment following a crypto-ransomware event and assemble them into a functioning system.
Progent's security team of experts uses top notch project management applications to coordinate the complicated restoration process. Progent understands the urgency of working swiftly and together with a client's management and IT resources to assign priority to tasks and to put essential applications back online as soon as possible.
Business Case Study: A Successful Ransomware Incident Restoration
A small business contacted Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, possibly using algorithms leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little or no tolerance for disruption and is one of the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were destroyed. The client was evaluating paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I can't say enough in regards to the expertise Progent provided us during the most fearful time of (our) businesses existence. We would have paid the Hackers if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and critical applications back on-line in less than 1 week was incredible. Every single expert I worked with or messaged at Progent was totally committed on getting us operational and was working 24/7 on our behalf."
Progent worked together with the client to quickly assess and prioritize the key services that had to be addressed to make it possible to restart company operations:
To begin, Progent followed ransomware event response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the process of recovering Microsoft AD, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for access to the information.
- Windows Active Directory
- Exchange Server
In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and storage recovery on essential servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Offline Folder Files) on various PCs and laptops to recover mail data. A recent offline backup of the businesses financials/MRP systems made it possible to return these essential services back on-line. Although a large amount of work remained to recover completely from the Ryuk attack, critical systems were recovered rapidly:
"For the most part, the production operation ran fairly normal throughout and we did not miss any customer shipments."
During the next month critical milestones in the restoration process were accomplished in close collaboration between Progent consultants and the customer:
- Self-hosted web sites were returned to operation with no loss of information.
- The MailStore Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory Control capabilities were fully restored.
- A new Palo Alto 850 firewall was set up.
- Ninety percent of the user PCs were back into operation.
"A lot of what went on during the initial response is mostly a blur for me, but I will not forget the commitment all of your team put in to help get our company back. I've entrusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This event was no exception but maybe more Herculean."
A likely business extinction disaster was dodged through the efforts of dedicated professionals, a broad range of IT skills, and tight collaboration. Although in post mortem the ransomware virus penetration described here could have been blocked with modern security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed security procedures for data backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get rested after we got past the first week. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Midtown Manhattan
For ransomware recovery consulting services in the Midtown Manhattan metro area, call Progent at 800-462-8800 or visit Contact Progent.