Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an attack. Different versions of ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with additional as yet unnamed viruses, not only encrypt online data files but also infect most accessible system backup. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, this can make automatic restoration hopeless and basically sets the entire system back to zero.
Recovering programs and information following a ransomware attack becomes a race against time as the victim struggles to stop the spread and clear the ransomware and to restore business-critical activity. Because ransomware needs time to move laterally, assaults are often sprung during nights and weekends, when successful attacks tend to take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.
Progent provides a variety of services for securing Ribeirão Preto enterprises from ransomware attacks. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with machine learning technology to rapidly detect and quarantine day-zero threats. Progent in addition can provide the services of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the needed codes to decipher any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to re-install the key parts of your Information Technology environment. Without the availability of complete data backups, this requires a wide complement of skill sets, professional team management, and the willingness to work continuously until the job is completed.
For two decades, Progent has offered certified expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the skills to rapidly determine necessary systems and consolidate the surviving parts of your IT system after a crypto-ransomware event and assemble them into a functioning network.
Progent's ransomware team of experts uses powerful project management applications to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to put essential systems back online as fast as possible.
Business Case Study: A Successful Ransomware Attack Restoration
A small business engaged Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state hackers, suspected of using algorithms exposed from America’s National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is among the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing processes. The majority of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than $200K) and hoping for good luck, but ultimately brought in Progent.
"I can’t tell you enough about the expertise Progent provided us during the most fearful period of (our) company’s survival. We would have paid the hackers behind this attack if it wasn’t for the confidence the Progent experts provided us. That you were able to get our messaging and production applications back quicker than five days was beyond my wildest dreams. Every single staff member I interacted with or communicated with at Progent was totally committed on getting our company operational and was working breakneck pace to bail us out."
Progent worked with the client to quickly understand and assign priority to the mission critical services that needed to be recovered in order to continue departmental functions:
To get going, Progent followed AV/Malware Processes event response best practices by stopping lateral movement and removing active viruses. Progent then started the task of rebuilding Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customer’s accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for authentication to the data.
- Active Directory
- Microsoft Exchange Email
- MRP System
Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery on critical applications. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers in order to recover email messages. A not too old off-line backup of the customer’s manufacturing software made them able to restore these essential programs back available to users. Although significant work still had to be done to recover completely from the Ryuk damage, core systems were restored rapidly:
"For the most part, the assembly line operation survived unscathed and we made all customer shipments."
During the following couple of weeks key milestones in the recovery process were made in tight cooperation between Progent team members and the customer:
- In-house web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were 100% operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user desktops and notebooks were being used by staff.
"Much of what was accomplished that first week is mostly a blur for me, but my team will not soon forget the countless hours each of your team accomplished to give us our business back. I have utilized Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."
A potential company-ending disaster was dodged through the efforts of results-oriented experts, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware incident described here could have been prevented with up-to-date security technology and ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), I’m grateful for allowing me to get some sleep after we got past the most critical parts. All of you did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist