Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses poorly prepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict havoc. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as more unnamed viruses, not only do encryption of online data files but also infiltrate any configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can make automated restore operations impossible and basically sets the entire system back to zero.
Getting back on-line applications and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to stop lateral movement and remove the virus and to resume enterprise-critical activity. Since ransomware requires time to move laterally, attacks are often sprung on weekends and holidays, when attacks in many cases take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent makes available a variety of solutions for protecting Midtown Manhattan organizations from ransomware events. These include user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with AI technology to quickly discover and quarantine new cyber threats. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached system as quickly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware event, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to re-install the critical elements of your IT environment. Without the availability of complete information backups, this requires a wide range of skill sets, top notch team management, and the willingness to work continuously until the task is finished.
For two decades, Progent has offered expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the capability to efficiently ascertain critical systems and integrate the surviving parts of your IT environment following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's ransomware group deploys state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get essential services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer hired Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for disruption and is among the most profitable examples of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk attack had brought down all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200K) and hoping for good luck, but ultimately utilized Progent.
"I canít speak enough in regards to the care Progent provided us throughout the most stressful period of (our) companyís survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. The fact that you could get our e-mail and production applications back in less than five days was earth shattering. Every single expert I spoke to or e-mailed at Progent was urgently focused on getting us restored and was working day and night to bail us out."
Progent worked with the customer to rapidly determine and prioritize the essential systems that had to be addressed to make it possible to continue company functions:
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then began the process of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís accounting and MRP software utilized Microsoft SQL Server, which needs Active Directory services for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange Server
Within 48 hours, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated setup and storage recovery of needed applications. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers to recover mail information. A recent offline backup of the businesses accounting/ERP software made them able to restore these required programs back servicing users. Although a lot of work was left to recover fully from the Ryuk damage, the most important services were recovered rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer deliverables."
Over the next month important milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely operational.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the desktop computers were fully operational.
"Much of what transpired in the early hours is nearly entirely a blur for me, but we will not forget the commitment each and every one of your team accomplished to give us our business back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a life saver."
A probable company-ending disaster was avoided through the efforts of hard-working professionals, a broad array of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware virus attack detailed here should have been identified and stopped with modern security technology solutions and NIST Cybersecurity Framework best practices, team training, and properly executed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were contributing), thanks very much for allowing me to get some sleep after we got over the first week. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist