Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Multiple generations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more as yet unnamed viruses, not only do encryption of online information but also infect any available system protection mechanisms. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can render automatic restore operations hopeless and effectively knocks the network back to square one.
Retrieving applications and information following a crypto-ransomware intrusion becomes a sprint against the clock as the victim fights to stop lateral movement and cleanup the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually launched on weekends and holidays, when successful attacks are likely to take more time to detect. This multiplies the difficulty of quickly assembling and organizing a capable mitigation team.
Progent offers a variety of solutions for securing Sorocaba organizations from ransomware attacks. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI technology to intelligently detect and suppress new threats. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and commitment to re-deploy a breached system as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the keys to unencrypt all your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The other path is to re-install the essential elements of your IT environment. Without access to complete data backups, this requires a broad complement of IT skills, top notch team management, and the willingness to work 24x7 until the job is complete.
For two decades, Progent has provided expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently determine critical systems and consolidate the surviving pieces of your IT environment after a ransomware event and assemble them into a functioning network.
Progent's ransomware group has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and IT resources to prioritize tasks and to put key applications back on line as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A client contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored criminal gangs, possibly using algorithms exposed from America’s National Security Agency. Ryuk targets specific businesses with limited ability to sustain operational disruption and is among the most profitable instances of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot tell you enough about the expertise Progent provided us during the most stressful time of (our) businesses existence. We may have had to pay the criminal gangs if not for the confidence the Progent group provided us. That you were able to get our e-mail and important servers back into operation faster than 1 week was something I thought impossible. Every single consultant I spoke to or communicated with at Progent was hell bent on getting my company operational and was working at all hours to bail us out."
Progent worked together with the client to rapidly understand and prioritize the key systems that had to be recovered in order to restart business functions:
To get going, Progent adhered to ransomware event response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the work of bringing back online Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businesses’ accounting and MRP applications used Microsoft SQL, which requires Windows AD for access to the information.
- Active Directory (AD)
- MRP System
In less than 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Off-Line Folder Files) on various PCs in order to recover mail messages. A recent off-line backup of the client's accounting software made it possible to return these essential applications back on-line. Although major work remained to recover completely from the Ryuk damage, core systems were recovered rapidly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer shipments."
During the next month key milestones in the recovery process were accomplished in tight cooperation between Progent consultants and the client:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Ninety percent of the user desktops were functioning as before the incident.
"A huge amount of what went on in the early hours is nearly entirely a blur for me, but I will not forget the urgency each of your team accomplished to help get our business back. I’ve entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A probable enterprise-killing disaster was averted due to hard-working professionals, a wide array of IT skills, and close teamwork. Although in hindsight the ransomware incident detailed here would have been shut down with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well thought out incident response procedures for backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I’m grateful for letting me get some sleep after we made it past the first week. All of you did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist