Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that poses an existential danger for businesses unprepared for an assault. Different versions of ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus additional unnamed malware, not only encrypt on-line data files but also infect most available system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can render automatic restoration hopeless and effectively sets the entire system back to square one.
Retrieving programs and information following a ransomware intrusion becomes a race against time as the victim struggles to contain and cleanup the ransomware and to restore enterprise-critical operations. Because crypto-ransomware needs time to spread, attacks are often sprung during weekends and nights, when successful attacks are likely to take longer to identify. This multiplies the difficulty of quickly marshalling and orchestrating a qualified mitigation team.
Progent offers a variety of solutions for securing Raleigh businesses from ransomware events. These include team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI capabilities to automatically identify and quarantine new cyber attacks. Progent in addition provides the assistance of veteran ransomware recovery consultants with the track record and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Restoration Services
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the codes to decrypt all your data. Kaspersky ascertained that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The alternative is to setup from scratch the key parts of your IT environment. Absent the availability of full information backups, this calls for a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the job is finished.
For twenty years, Progent has made available expert Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience provides Progent the capability to rapidly identify important systems and integrate the surviving pieces of your IT system following a crypto-ransomware penetration and assemble them into an operational system.
Progent's recovery team deploys best of breed project management applications to coordinate the complicated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to get the most important services back online as fast as humanly possible.
Client Story: A Successful Ransomware Intrusion Recovery
A client escalated to Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of adopting strategies leaked from Americaís NSA organization. Ryuk seeks specific businesses with limited tolerance for disruption and is among the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with around 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for good luck, but ultimately reached out to Progent.
"I cannot speak enough about the support Progent provided us during the most stressful time of (our) companyís survival. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and essential applications back on-line sooner than 1 week was incredible. Every single staff member I spoke to or e-mailed at Progent was amazingly focused on getting my company operational and was working all day and night to bail us out."
Progent worked with the client to quickly identify and assign priority to the critical services that had to be addressed in order to continue departmental functions:
To begin, Progent followed ransomware penetration mitigation industry best practices by stopping the spread and clearing infected systems. Progent then initiated the process of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the client's MRP system used Microsoft SQL Server, which needs Active Directory for authentication to the data.
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with setup and storage recovery on the most important systems. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Data Files) on various workstations to recover mail data. A recent off-line backup of the customerís financials/MRP software made them able to return these essential services back available to users. Although significant work was left to recover fully from the Ryuk attack, the most important services were restored quickly:
"For the most part, the production operation showed little impact and we delivered all customer orders."
Throughout the next few weeks key milestones in the restoration project were accomplished through close collaboration between Progent engineers and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely operational.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktops and laptops were fully operational.
"A lot of what was accomplished during the initial response is nearly entirely a blur for me, but our team will not forget the urgency all of your team accomplished to give us our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."
A likely business extinction catastrophe was avoided due to top-tier professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware attack detailed here would have been identified and stopped with advanced security technology and best practices, user and IT administrator education, and well thought out security procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get rested after we made it through the initial fire. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist