Ransomware : Your Worst IT Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for organizations vulnerable to an assault. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still cause damage. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, along with additional as yet unnamed malware, not only encrypt on-line data but also infect many available system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can make automatic recovery useless and effectively sets the datacenter back to square one.
Recovering applications and data after a ransomware event becomes a race against the clock as the targeted business fights to contain and eradicate the virus and to resume business-critical operations. Due to the fact that crypto-ransomware needs time to replicate, attacks are often launched on weekends and holidays, when successful attacks are likely to take more time to identify. This multiplies the difficulty of promptly mobilizing and organizing a qualified response team.
Progent makes available a variety of solutions for protecting Liverpool enterprises from ransomware events. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with AI capabilities to intelligently detect and quarantine zero-day threats. Progent in addition can provide the services of expert ransomware recovery professionals with the skills and perseverance to restore a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the codes to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to setup from scratch the key elements of your Information Technology environment. Without the availability of full information backups, this requires a broad complement of skill sets, top notch team management, and the capability to work 24x7 until the job is complete.
For two decades, Progent has made available expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of expertise affords Progent the skills to efficiently understand important systems and integrate the remaining components of your computer network system following a crypto-ransomware attack and configure them into a functioning network.
Progent's security group has top notch project management applications to coordinate the sophisticated restoration process. Progent knows the importance of acting quickly and together with a client's management and IT resources to prioritize tasks and to get key systems back on line as soon as possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A customer contacted Progent after their network was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state hackers, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk seeks specific companies with little ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the attack and were destroyed. The client was evaluating paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end called Progent.
"I canít thank you enough in regards to the care Progent provided us throughout the most critical period of (our) companyís survival. We would have paid the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and important servers back quicker than five days was earth shattering. Every single consultant I spoke to or communicated with at Progent was totally committed on getting us back online and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to rapidly identify and assign priority to the essential applications that needed to be addressed to make it possible to restart business functions:
To get going, Progent followed Anti-virus event response best practices by halting lateral movement and performing virus removal steps. Progent then initiated the work of bringing back online Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange email will not work without Windows AD, and the businessesí MRP system leveraged Microsoft SQL, which depends on Windows AD for access to the database.
- Active Directory (AD)
- Electronic Messaging
- MRP System
In less than two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery on mission critical servers. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email messages. A recent off-line backup of the customerís manufacturing systems made them able to return these vital applications back available to users. Although a lot of work was left to recover completely from the Ryuk virus, critical services were restored quickly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer deliverables."
During the following couple of weeks critical milestones in the restoration process were completed in tight cooperation between Progent consultants and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory capabilities were fully recovered.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user desktops and notebooks were operational.
"A lot of what was accomplished in the initial days is nearly entirely a blur for me, but I will not forget the countless hours each and every one of the team put in to help get our business back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."
A potential company-ending catastrophe was evaded through the efforts of results-oriented experts, a wide spectrum of technical expertise, and close teamwork. Although in post mortem the ransomware virus attack described here would have been identified and stopped with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we got past the initial push. Everyone did an amazing job, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist