Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, plus frequent unnamed newcomers, not only encrypt on-line critical data but also infiltrate most configured system backup. Information synchronized to cloud environments can also be ransomed. In a poorly architected system, this can render automatic recovery useless and basically sets the entire system back to zero.
Getting back on-line applications and information following a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain and eradicate the crypto-ransomware and to resume business-critical activity. Because ransomware requires time to replicate, assaults are usually sprung during weekends and nights, when penetrations may take longer to discover. This multiplies the difficulty of quickly mobilizing and organizing a capable mitigation team.
Progent provides a variety of services for protecting Boise enterprises from ransomware attacks. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security solutions with artificial intelligence capabilities to intelligently detect and suppress day-zero cyber attacks. Progent in addition provides the assistance of experienced ransomware recovery professionals with the track record and commitment to rebuild a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the keys to unencrypt any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to re-install the mission-critical components of your IT environment. Without the availability of essential information backups, this calls for a wide complement of skills, professional project management, and the ability to work non-stop until the recovery project is done.
For decades, Progent has offered expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience provides Progent the skills to quickly determine necessary systems and organize the remaining components of your network system following a ransomware event and assemble them into an operational network.
Progent's recovery group has state-of-the-art project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of acting swiftly and together with a client's management and IT staff to assign priority to tasks and to get key applications back on line as soon as possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer hired Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the attack and were encrypted. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but ultimately engaged Progent.
"I cannot tell you enough in regards to the help Progent provided us throughout the most fearful time of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. That you could get our e-mail system and production applications back online quicker than one week was incredible. Every single consultant I got help from or communicated with at Progent was hell bent on getting us back on-line and was working at all hours to bail us out."
Progent worked hand in hand the client to rapidly determine and prioritize the key elements that had to be recovered in order to continue company operations:
To get going, Progent followed ransomware event response best practices by halting lateral movement and disinfecting systems. Progent then began the work of bringing back online Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the client's financials and MRP applications used SQL Server, which needs Windows AD for authentication to the database.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery on needed applications. All Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Data Files) on various workstations to recover email data. A not too old off-line backup of the customerís accounting software made them able to recover these essential applications back available to users. Although a large amount of work remained to recover completely from the Ryuk event, core services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer deliverables."
Over the following month important milestones in the recovery project were accomplished in close cooperation between Progent engineers and the customer:
- Internal web applications were brought back up with no loss of information.
- The MailStore Exchange Server exceeding four million archived emails was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% operational.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Ninety percent of the user workstations were operational.
"Much of what happened those first few days is nearly entirely a haze for me, but our team will not forget the urgency each of the team put in to help get our business back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This time was a testament to your capabilities."
A probable business extinction catastrophe was averted through the efforts of results-oriented professionals, a broad range of IT skills, and close collaboration. Although in post mortem the ransomware penetration detailed here would have been prevented with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for data backup and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we made it over the first week. Everyone did an fabulous job, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist