Ransomware : Your Crippling IT Nightmare
Ransomware has become an escalating cyber pandemic that represents an existential danger for organizations poorly prepared for an attack. Versions of crypto-ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause harm. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as daily unnamed newcomers, not only do encryption of on-line data but also infiltrate most available system protection. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render automatic restoration hopeless and basically sets the datacenter back to square one.
Getting back on-line programs and data following a ransomware outage becomes a race against time as the victim struggles to contain the damage and eradicate the ransomware and to resume mission-critical operations. Since crypto-ransomware needs time to replicate, attacks are often sprung on weekends, when attacks in many cases take longer to identify. This multiplies the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.
Progent provides an assortment of help services for protecting Jersey City enterprises from ransomware attacks. These include user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence technology to quickly detect and quarantine day-zero cyber attacks. Progent also offers the services of seasoned ransomware recovery consultants with the track record and commitment to rebuild a compromised system as urgently as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware event, sending the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to unencrypt any or all of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the key parts of your Information Technology environment. Without access to full data backups, this calls for a wide range of IT skills, well-coordinated project management, and the capability to work non-stop until the job is finished.
For twenty years, Progent has made available professional Information Technology services for businesses across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain critical systems and organize the remaining components of your computer network system following a crypto-ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts has top notch project management tools to orchestrate the complex recovery process. Progent understands the urgency of acting swiftly and together with a client's management and IT team members to assign priority to tasks and to put the most important services back on line as soon as humanly possible.
Customer Story: A Successful Ransomware Intrusion Restoration
A customer hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored hackers, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk targets specific companies with limited tolerance for disruption and is one of the most profitable incarnations of crypto-ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.
"I cannot say enough about the care Progent gave us throughout the most stressful time of (our) businesses life. We most likely would have paid the hackers behind this attack except for the confidence the Progent group afforded us. That you could get our e-mail and essential applications back online faster than five days was incredible. Every single person I worked with or e-mailed at Progent was amazingly focused on getting our system up and was working at all hours to bail us out."
Progent worked with the customer to rapidly determine and assign priority to the most important applications that had to be addressed to make it possible to restart company functions:
To start, Progent followed AV/Malware Processes event response industry best practices by halting the spread and performing virus removal steps. Progent then began the work of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the businessesí accounting and MRP system used Microsoft SQL Server, which needs Windows AD for authentication to the information.
- Windows Active Directory
- Electronic Mail
- MRP System
In less than two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on critical systems. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover email messages. A not too old off-line backup of the businesses accounting/ERP systems made it possible to recover these essential services back online. Although major work was left to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."
Over the following month critical milestones in the recovery project were achieved in tight collaboration between Progent engineers and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were completely recovered.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the desktop computers were fully operational.
"A huge amount of what happened during the initial response is nearly entirely a blur for me, but my management will not soon forget the commitment each and every one of the team put in to give us our business back. Iíve been working with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This time was the most impressive ever."
A likely business extinction disaster was evaded due to hard-working professionals, a wide range of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here could have been stopped with up-to-date security technology and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for information protection and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for letting me get rested after we got through the initial fire. Everyone did an amazing effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist