Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, as well as more unnamed malware, not only encrypt on-line files but also infect many configured system restores and backups. Information synched to cloud environments can also be encrypted. In a poorly designed data protection solution, it can make automatic restore operations hopeless and basically sets the network back to square one.
Retrieving applications and data following a crypto-ransomware attack becomes a race against time as the victim fights to contain and clear the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware takes time to spread, assaults are often launched during nights and weekends, when successful attacks in many cases take longer to identify. This multiplies the difficulty of rapidly assembling and organizing a capable mitigation team.
Progent has a range of solutions for protecting Allen businesses from ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security gateways with machine learning capabilities to intelligently detect and extinguish zero-day threats. Progent in addition can provide the assistance of experienced ransomware recovery engineers with the skills and commitment to rebuild a breached network as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decrypt all your files. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to re-install the critical parts of your Information Technology environment. Without access to complete data backups, this requires a broad range of skill sets, well-coordinated team management, and the ability to work 24x7 until the task is completed.
For decades, Progent has made available expert Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience provides Progent the capability to efficiently ascertain necessary systems and organize the remaining pieces of your network system after a crypto-ransomware penetration and configure them into an operational system.
Progent's security group has best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of working rapidly and together with a customerís management and IT resources to assign priority to tasks and to put critical services back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A customer escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of using strategies exposed from Americaís National Security Agency. Ryuk attacks specific organizations with limited room for disruption and is among the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I canít say enough about the expertise Progent provided us throughout the most stressful time of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key servers back in less than 1 week was beyond my wildest dreams. Each consultant I got help from or texted at Progent was totally committed on getting our system up and was working non-stop to bail us out."
Progent worked hand in hand the client to quickly determine and prioritize the essential services that needed to be recovered in order to continue business operations:
To begin, Progent followed ransomware incident mitigation best practices by stopping the spread and performing virus removal steps. Progent then initiated the work of restoring Microsoft AD, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the client's accounting and MRP system utilized SQL Server, which requires Active Directory services for authentication to the data.
- Active Directory
- Electronic Mail
Within 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed reinstallations and storage recovery of the most important servers. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Offline Data Files) on team desktop computers and laptops in order to recover mail data. A not too old offline backup of the client's financials/ERP systems made it possible to recover these vital programs back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, the most important services were returned to operations rapidly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."
Over the following month critical milestones in the recovery project were completed through tight collaboration between Progent engineers and the client:
- In-house web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were completely operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Most of the desktop computers were functioning as before the incident.
"Much of what went on in the early hours is nearly entirely a blur for me, but we will not forget the care each and every one of you put in to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This situation was a testament to your capabilities."
A probable business-killing catastrophe was dodged through the efforts of top-tier professionals, a wide array of technical expertise, and close teamwork. Although in retrospect the ransomware incident detailed here could have been blocked with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for making it so I could get some sleep after we got through the most critical parts. Everyone did an impressive effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist