Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus more unnamed viruses, not only encrypt on-line critical data but also infiltrate any configured system backup. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, this can render automated recovery hopeless and effectively knocks the entire system back to square one.
Recovering programs and data after a ransomware intrusion becomes a race against time as the targeted business fights to contain and remove the virus and to restore business-critical activity. Since ransomware takes time to spread, attacks are often launched during weekends and nights, when penetrations in many cases take more time to uncover. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.
Progent offers an assortment of support services for securing Jersey City organizations from crypto-ransomware attacks. These include team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology to quickly discover and suppress day-zero cyber threats. Progent also can provide the services of experienced ransomware recovery consultants with the talent and perseverance to restore a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware event, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to unencrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to re-install the essential elements of your IT environment. Absent the availability of full system backups, this requires a wide complement of IT skills, professional project management, and the ability to work continuously until the task is finished.
For twenty years, Progent has offered expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the skills to rapidly ascertain important systems and re-organize the remaining components of your computer network environment after a ransomware event and configure them into an operational system.
Progent's recovery team of experts uses best of breed project management systems to orchestrate the complicated recovery process. Progent understands the importance of working quickly and together with a customerís management and IT staff to prioritize tasks and to put essential systems back on line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Response
A client engaged Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored cybercriminals, suspected of adopting technology leaked from Americaís NSA organization. Ryuk goes after specific businesses with limited ability to sustain disruption and is among the most profitable incarnations of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately called Progent.
"I canít thank you enough about the care Progent gave us during the most stressful period of (our) companyís survival. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. The fact that you could get our e-mail and production applications back into operation in less than a week was incredible. Every single expert I got help from or messaged at Progent was absolutely committed on getting us back online and was working all day and night on our behalf."
Progent worked together with the customer to quickly assess and assign priority to the critical elements that had to be addressed in order to continue business operations:
To start, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the process of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange email will not function without Active Directory, and the client's MRP applications used Microsoft SQL, which needs Active Directory services for access to the databases.
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery of essential systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on various desktop computers in order to recover mail messages. A recent offline backup of the client's accounting/MRP software made it possible to restore these essential services back servicing users. Although major work needed to be completed to recover fully from the Ryuk attack, critical systems were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we did not miss any customer orders."
During the following couple of weeks important milestones in the recovery process were accomplished in tight collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Exchange Server with over 4 million archived messages was spun up and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% restored.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the user desktops were being used by staff.
"A lot of what transpired during the initial response is mostly a haze for me, but we will not soon forget the care each of the team put in to help get our company back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was the most impressive ever."
A probable business disaster was dodged by hard-working professionals, a broad array of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware attack described here should have been blocked with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we got through the initial fire. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist