Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent as yet unnamed viruses, not only encrypt on-line files but also infiltrate many configured system restores and backups. Files synched to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automatic recovery impossible and basically sets the datacenter back to zero.
Getting back on-line services and data following a ransomware intrusion becomes a sprint against the clock as the targeted business fights to contain the damage and cleanup the ransomware and to resume mission-critical activity. Since crypto-ransomware takes time to replicate, penetrations are frequently launched during weekends and nights, when penetrations tend to take longer to identify. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.
Progent offers a range of help services for securing Sorocaba businesses from ransomware penetrations. These include team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning technology to quickly detect and quarantine new threats. Progent also provides the assistance of expert ransomware recovery consultants with the skills and commitment to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to decrypt all your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to piece back together the critical parts of your Information Technology environment. Absent the availability of complete information backups, this calls for a wide complement of skills, well-coordinated project management, and the capability to work continuously until the task is complete.
For twenty years, Progent has provided expert Information Technology services for companies across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine important systems and integrate the surviving pieces of your IT system after a ransomware attack and assemble them into a functioning network.
Progent's recovery team utilizes powerful project management applications to orchestrate the complicated recovery process. Progent understands the importance of acting quickly and together with a client's management and Information Technology team members to assign priority to tasks and to get essential services back online as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Attack Restoration
A customer contacted Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little ability to sustain disruption and is among the most profitable iterations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has around 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot tell you enough about the expertise Progent gave us throughout the most critical time of (our) companyís life. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent team provided us. That you could get our e-mail and important applications back online in less than a week was something I thought impossible. Every single consultant I got help from or communicated with at Progent was hell bent on getting us restored and was working non-stop on our behalf."
Progent worked hand in hand the client to quickly understand and prioritize the mission critical applications that had to be recovered in order to continue departmental functions:
To get going, Progent followed Anti-virus penetration response best practices by halting the spread and disinfecting systems. Progent then began the task of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businessesí financials and MRP software used Microsoft SQL, which needs Windows AD for security authorization to the databases.
- Active Directory
- Microsoft Exchange Email
In less than 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery on essential systems. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on team desktop computers to recover mail information. A recent offline backup of the client's accounting/ERP software made it possible to return these vital programs back servicing users. Although a large amount of work was left to recover fully from the Ryuk damage, core services were recovered rapidly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."
Throughout the following couple of weeks critical milestones in the restoration project were accomplished in tight collaboration between Progent team members and the client:
- Self-hosted web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than four million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were fully restored.
- A new Palo Alto Networks 850 security appliance was set up.
- Most of the desktop computers were functioning as before the incident.
"A lot of what transpired during the initial response is nearly entirely a blur for me, but my management will not forget the countless hours each and every one of you accomplished to give us our business back. Iíve utilized Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This time was no exception but maybe more Herculean."
A probable business-killing catastrophe was averted due to top-tier experts, a broad array of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here would have been blocked with advanced cyber security systems and recognized best practices, user and IT administrator education, and properly executed security procedures for information protection and proper patching controls, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got over the initial fire. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist