Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that represents an extinction-level threat for businesses of all sizes unprepared for an attack. Different versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with frequent as yet unnamed viruses, not only do encryption of online critical data but also infect any available system backups. Files replicated to cloud environments can also be ransomed. In a vulnerable environment, it can make automated restoration useless and basically sets the entire system back to zero.
Recovering programs and data after a ransomware attack becomes a sprint against the clock as the victim tries its best to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Because ransomware requires time to spread, assaults are frequently launched at night, when successful attacks in many cases take longer to uncover. This compounds the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent offers a range of services for securing Tucson enterprises from ransomware attacks. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology to intelligently detect and quarantine zero-day cyber threats. Progent in addition can provide the assistance of experienced crypto-ransomware recovery consultants with the talent and perseverance to restore a compromised system as quickly as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The alternative is to setup from scratch the key elements of your IT environment. Absent the availability of essential system backups, this requires a wide range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is completed.
For two decades, Progent has provided expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience provides Progent the ability to rapidly ascertain important systems and integrate the remaining pieces of your network system following a ransomware penetration and rebuild them into an operational system.
Progent's security team utilizes best of breed project management applications to coordinate the complex restoration process. Progent knows the urgency of working rapidly and in concert with a client's management and Information Technology staff to prioritize tasks and to put critical services back online as soon as possible.
Client Story: A Successful Ransomware Virus Recovery
A client engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting algorithms leaked from Americaís National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most profitable versions of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and hoping for the best, but in the end utilized Progent.
"I canít tell you enough about the expertise Progent provided us during the most fearful time of (our) companyís existence. We most likely would have paid the criminal gangs except for the confidence the Progent team afforded us. That you could get our messaging and essential applications back in less than one week was something I thought impossible. Every single staff member I interacted with or messaged at Progent was amazingly focused on getting us back on-line and was working breakneck pace to bail us out."
Progent worked together with the client to quickly determine and assign priority to the critical areas that needed to be restored to make it possible to continue business functions:
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then started the steps of rebuilding Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís accounting and MRP software leveraged SQL Server, which depends on Windows AD for security authorization to the database.
- Microsoft Active Directory
- MRP System
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of the most important systems. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Data Files) on user desktop computers in order to recover mail data. A not too old off-line backup of the customerís financials/ERP systems made it possible to restore these required applications back available to users. Although significant work still had to be done to recover totally from the Ryuk event, the most important services were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."
Over the following few weeks critical milestones in the recovery project were achieved in tight cooperation between Progent engineers and the client:
- In-house web sites were brought back up with no loss of information.
- The MailStore Server exceeding four million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were completely restored.
- A new Palo Alto 850 security appliance was brought on-line.
- Nearly all of the desktop computers were fully operational.
"A huge amount of what transpired that first week is mostly a fog for me, but I will not forget the commitment each and every one of the team accomplished to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This situation was the most impressive ever."
A potential business-ending catastrophe was averted with results-oriented professionals, a broad range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware attack described here would have been identified and prevented with advanced security technology and best practices, team training, and well designed incident response procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get rested after we made it through the most critical parts. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist