Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as daily unnamed malware, not only do encryption of on-line critical data but also infiltrate most available system protection mechanisms. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, this can make any restore operations hopeless and basically knocks the datacenter back to zero.
Restoring applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage and remove the virus and to resume business-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are usually launched during weekends and nights, when attacks tend to take longer to detect. This compounds the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent offers a variety of services for protecting Tucson enterprises from crypto-ransomware penetrations. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security solutions with artificial intelligence technology to automatically detect and disable zero-day threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to re-install the mission-critical components of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of IT skills, well-coordinated team management, and the ability to work continuously until the job is complete.
For two decades, Progent has offered certified expert Information Technology services for companies across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the capability to rapidly identify necessary systems and organize the remaining components of your Information Technology system after a ransomware penetration and assemble them into a functioning network.
Progent's security team of experts deploys best of breed project management systems to orchestrate the sophisticated restoration process. Progent understands the urgency of acting swiftly and together with a customerís management and Information Technology resources to assign priority to tasks and to get the most important services back on line as soon as humanly possible.
Client Story: A Successful Ransomware Virus Recovery
A small business engaged Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly using techniques leaked from the United States NSA organization. Ryuk targets specific businesses with little ability to sustain disruption and is among the most lucrative versions of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with around 500 employees. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately engaged Progent.
"I cannot tell you enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team provided us. The fact that you were able to get our e-mail and important applications back into operation sooner than a week was something I thought impossible. Every single expert I worked with or communicated with at Progent was amazingly focused on getting us back on-line and was working day and night to bail us out."
Progent worked together with the client to rapidly identify and assign priority to the essential areas that needed to be addressed to make it possible to restart business functions:
To start, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the process of restoring Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customerís accounting and MRP system used Microsoft SQL, which depends on Active Directory services for access to the data.
- Active Directory
- Electronic Mail
In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery on essential servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Data Files) on team workstations in order to recover email data. A recent offline backup of the client's financials/MRP software made it possible to restore these required applications back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk damage, the most important systems were returned to operations quickly:
"For the most part, the production line operation was never shut down and we made all customer deliverables."
Throughout the next month key milestones in the restoration project were made in close cooperation between Progent team members and the client:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100% recovered.
- A new Palo Alto Networks 850 security appliance was installed.
- 90% of the user desktops were back into operation.
"Much of what occurred those first few days is nearly entirely a fog for me, but my team will not soon forget the dedication each of you put in to help get our company back. I have entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered. This time was no exception but maybe more Herculean."
A potential business-killing disaster was evaded with results-oriented experts, a broad range of technical expertise, and close teamwork. Although in post mortem the ransomware incident described here should have been prevented with current security systems and recognized best practices, user training, and properly executed incident response procedures for information protection and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get some sleep after we got past the initial fire. All of you did an impressive job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist