Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as daily as yet unnamed malware, not only encrypt online information but also infiltrate any configured system backup. Information synched to cloud environments can also be corrupted. In a poorly designed data protection solution, it can render automatic recovery useless and effectively sets the datacenter back to zero.
Restoring applications and information following a crypto-ransomware event becomes a sprint against the clock as the victim tries its best to contain and eradicate the virus and to restore enterprise-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often sprung on weekends, when successful penetrations in many cases take more time to detect. This multiplies the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent makes available an assortment of services for protecting Columbus organizations from crypto-ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with artificial intelligence capabilities to intelligently discover and disable new cyber attacks. Progent also provides the services of seasoned crypto-ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the codes to decipher any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of skills, top notch team management, and the capability to work non-stop until the job is over.
For twenty years, Progent has made available professional IT services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise gives Progent the capability to quickly determine important systems and integrate the surviving components of your network environment after a crypto-ransomware attack and rebuild them into an operational system.
Progent's recovery group uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a customerís management and IT team members to assign priority to tasks and to put critical systems back online as fast as humanly possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A business hired Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, possibly adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little ability to sustain operational disruption and is one of the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end called Progent.
"I canít tell you enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses survival. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and essential servers back quicker than a week was earth shattering. Each person I got help from or e-mailed at Progent was laser focused on getting us back on-line and was working 24/7 to bail us out."
Progent worked together with the customer to quickly get our arms around and prioritize the essential applications that had to be restored in order to continue departmental operations:
To begin, Progent adhered to ransomware incident mitigation best practices by halting the spread and clearing up compromised systems. Progent then initiated the steps of recovering Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the businessesí accounting and MRP system used Microsoft SQL, which depends on Windows AD for authentication to the database.
- Active Directory (AD)
In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery of needed applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Email Offline Folder Files) on user workstations to recover email messages. A not too old off-line backup of the client's financials/ERP systems made them able to return these essential applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk attack, critical services were recovered quickly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."
During the next couple of weeks key milestones in the recovery project were completed in tight collaboration between Progent engineers and the customer:
- In-house web sites were brought back up without losing any information.
- The MailStore Server exceeding four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory modules were 100% restored.
- A new Palo Alto 850 firewall was brought on-line.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"A lot of what went on that first week is nearly entirely a blur for me, but our team will not forget the dedication all of you put in to help get our business back. Iíve trusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A likely company-ending catastrophe was dodged with hard-working professionals, a broad spectrum of IT skills, and close collaboration. Although in post mortem the ransomware penetration detailed here should have been shut down with advanced cyber security technology and recognized best practices, user education, and appropriate security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get rested after we got over the first week. All of you did an fabulous job, and if anyone is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist