Ransomware : Your Worst IT Catastrophe
Ransomware has become a modern cyber pandemic that represents an existential threat for businesses unprepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict destruction. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with daily as yet unnamed malware, not only encrypt on-line files but also infiltrate any accessible system protection. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, it can render automatic restoration impossible and basically sets the datacenter back to zero.
Restoring applications and data following a ransomware event becomes a race against time as the targeted organization fights to stop lateral movement and remove the crypto-ransomware and to restore enterprise-critical operations. Since ransomware needs time to spread, assaults are usually sprung on weekends, when successful penetrations tend to take longer to detect. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent has a range of help services for protecting Sorocaba enterprises from crypto-ransomware events. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and quarantine day-zero modern malware attacks. Progent in addition can provide the services of veteran ransomware recovery engineers with the talent and commitment to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the codes to decrypt any or all of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the mission-critical elements of your IT environment. Without access to full data backups, this requires a wide complement of skills, top notch team management, and the willingness to work non-stop until the job is finished.
For decades, Progent has made available professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience affords Progent the ability to quickly ascertain critical systems and organize the remaining components of your computer network environment after a ransomware attack and rebuild them into an operational network.
Progent's security group has best of breed project management applications to coordinate the complicated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and IT resources to prioritize tasks and to get key services back on line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Penetration Response
A small business sought out Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, possibly adopting approaches leaked from America's NSA organization. Ryuk attacks specific organizations with little room for disruption and is among the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area with around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were damaged. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I can't speak enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent team gave us. That you were able to get our messaging and essential servers back in less than 1 week was beyond my wildest dreams. Each expert I spoke to or texted at Progent was urgently focused on getting us back online and was working non-stop on our behalf."
Progent worked hand in hand the customer to quickly understand and assign priority to the critical services that had to be restored to make it possible to continue company operations:
To begin, Progent adhered to ransomware penetration response best practices by stopping lateral movement and cleaning up infected systems. Progent then started the work of restoring Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's MRP system used Microsoft SQL Server, which depends on Windows AD for security authorization to the information.
- Active Directory
Within two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then helped perform setup and storage recovery on critical applications. All Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Folder Files) on various desktop computers and laptops to recover mail information. A not too old offline backup of the businesses accounting/ERP systems made them able to return these required applications back available to users. Although significant work remained to recover fully from the Ryuk attack, core services were restored quickly:
"For the most part, the production operation showed little impact and we made all customer deliverables."
During the next month critical milestones in the recovery project were made in tight cooperation between Progent engineers and the customer:
- In-house web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding 4 million archived emails was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the desktop computers were fully operational.
"Much of what transpired in the early hours is nearly entirely a fog for me, but my management will not forget the dedication each and every one of you accomplished to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This time was the most impressive ever."
A probable business-killing catastrophe was evaded through the efforts of dedicated experts, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware penetration described here should have been identified and stopped with advanced security solutions and security best practices, user education, and well thought out security procedures for backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thanks very much for allowing me to get rested after we made it through the most critical parts. Everyone did an amazing job, and if anyone is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Sorocaba
For ransomware cleanup services in the Sorocaba metro area, call Progent at 800-462-8800 or see Contact Progent.