Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line information but also infect many configured system backup. Information synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can render automatic recovery useless and basically sets the datacenter back to square one.
Getting back on-line services and information after a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement and eradicate the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware needs time to spread, attacks are frequently launched on weekends, when successful attacks may take more time to discover. This multiplies the difficulty of promptly assembling and coordinating an experienced mitigation team.
Progent makes available a range of services for securing Huntington Beach businesses from crypto-ransomware penetrations. These include team member training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with AI technology to rapidly discover and quarantine zero-day threats. Progent in addition provides the services of seasoned ransomware recovery professionals with the talent and commitment to rebuild a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the codes to decrypt any or all of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The fallback is to piece back together the key components of your IT environment. Absent access to full information backups, this requires a wide complement of skill sets, well-coordinated team management, and the willingness to work non-stop until the recovery project is completed.
For decades, Progent has offered certified expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise affords Progent the capability to efficiently identify important systems and organize the remaining pieces of your computer network system following a ransomware attack and rebuild them into a functioning system.
Progent's security team deploys best of breed project management applications to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get essential applications back on-line as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer engaged Progent after their organization was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little tolerance for operational disruption and is one of the most lucrative incarnations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and hoping for the best, but in the end called Progent.
"I cannot say enough about the expertise Progent gave us during the most stressful period of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you could get our e-mail and production servers back online in less than seven days was something I thought impossible. Every single expert I got help from or communicated with at Progent was hell bent on getting our company operational and was working 24/7 to bail us out."
Progent worked with the customer to rapidly get our arms around and prioritize the essential systems that had to be recovered in order to resume business operations:
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the task of bringing back online Microsoft AD, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the customerís financials and MRP system leveraged Microsoft SQL, which requires Active Directory services for access to the database.
- Active Directory
In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery of the most important systems. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on various PCs in order to recover mail messages. A not too old off-line backup of the client's financials/ERP software made it possible to recover these essential services back online for users. Although major work was left to recover fully from the Ryuk event, core systems were restored quickly:
"For the most part, the assembly line operation showed little impact and we delivered all customer orders."
Over the following couple of weeks key milestones in the recovery project were achieved through tight collaboration between Progent engineers and the customer:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Server exceeding four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user PCs were operational.
"A huge amount of what occurred in the early hours is nearly entirely a haze for me, but we will not forget the commitment each and every one of your team put in to help get our company back. I have been working with Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This time was the most impressive ever."
A probable company-ending catastrophe was avoided with dedicated experts, a broad range of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here should have been blocked with modern cyber security technology and security best practices, user education, and well thought out security procedures for data protection and proper patching controls, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we got through the first week. Everyone did an incredible effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Huntington Beach
For ransomware system restoration consulting in the Huntington Beach metro area, phone Progent at 800-462-8800 or see Contact Progent.