Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, along with frequent as yet unnamed malware, not only do encryption of on-line critical data but also infiltrate most accessible system backups. Information synchronized to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automated recovery hopeless and basically sets the entire system back to zero.
Recovering programs and information following a ransomware event becomes a race against time as the victim struggles to stop the spread and cleanup the virus and to restore mission-critical activity. Because ransomware requires time to move laterally, attacks are usually sprung on weekends and holidays, when attacks may take more time to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable response team.
Progent makes available a variety of services for protecting Ribeirão Preto organizations from ransomware attacks. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with machine learning technology to automatically detect and disable zero-day cyber threats. Progent in addition offers the services of expert ransomware recovery engineers with the talent and perseverance to re-deploy a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the mission-critical elements of your Information Technology environment. Without the availability of essential information backups, this requires a broad range of skills, well-coordinated team management, and the ability to work continuously until the task is finished.
For decades, Progent has offered certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to quickly identify important systems and consolidate the remaining pieces of your IT environment following a crypto-ransomware event and rebuild them into a functioning system.
Progent's recovery group utilizes powerful project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get essential services back on-line as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Response
A customer hired Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, suspected of using algorithms exposed from the United States NSA organization. Ryuk targets specific companies with little room for disruption and is one of the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately called Progent.
"I can’t thank you enough about the expertise Progent provided us during the most stressful period of (our) businesses survival. We most likely would have paid the criminal gangs if it wasn’t for the confidence the Progent team gave us. The fact that you were able to get our e-mail and production servers back on-line faster than 1 week was beyond my wildest dreams. Each expert I talked with or communicated with at Progent was urgently focused on getting us working again and was working all day and night on our behalf."
Progent worked hand in hand the client to quickly get our arms around and prioritize the key systems that needed to be addressed to make it possible to resume company operations:
To begin, Progent followed ransomware penetration response industry best practices by halting lateral movement and removing active viruses. Progent then began the work of recovering Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businesses’ financials and MRP software utilized SQL Server, which depends on Active Directory services for security authorization to the information.
- Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery on the most important applications. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover email information. A not too old offline backup of the client's accounting systems made it possible to return these required applications back online for users. Although major work was left to recover fully from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the production operation ran fairly normal throughout and we made all customer deliverables."
Over the following few weeks key milestones in the recovery process were completed through close cooperation between Progent team members and the client:
- In-house web sites were restored without losing any data.
- The MailStore Server with over four million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were completely restored.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops were being used by staff.
"Much of what occurred in the early hours is mostly a fog for me, but my team will not forget the care each of the team put in to help get our business back. I have trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
A potential business-killing catastrophe was evaded through the efforts of results-oriented experts, a wide array of technical expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here would have been shut down with current security technology solutions and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I’m grateful for making it so I could get rested after we got over the initial push. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist