Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for businesses poorly prepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as additional as yet unnamed viruses, not only encrypt online data but also infiltrate all available system backup. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make any restore operations hopeless and effectively knocks the entire system back to zero.
Restoring programs and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to spread, assaults are often sprung on weekends and holidays, when attacks typically take longer to recognize. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified response team.
Progent provides an assortment of solutions for protecting Thousand Oaks businesses from ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat defense to identify and suppress day-zero modern malware assaults. Progent in addition offers the services of expert ransomware recovery consultants with the talent and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to re-install the vital components of your Information Technology environment. Absent access to essential data backups, this requires a broad range of skills, top notch team management, and the capability to work non-stop until the task is completed.
For decades, Progent has made available expert IT services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly understand important systems and organize the surviving parts of your computer network system after a crypto-ransomware attack and assemble them into an operational system.
Progent's ransomware team utilizes state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to put critical services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Response
A client contacted Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, possibly using technology leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable iterations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area with about 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately brought in Progent.
"I can't tell you enough about the expertise Progent gave us throughout the most critical time of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. That you were able to get our e-mail and critical applications back on-line quicker than five days was incredible. Each consultant I got help from or communicated with at Progent was laser focused on getting us back on-line and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the essential systems that needed to be recovered in order to continue departmental operations:
To get going, Progent followed ransomware penetration response best practices by stopping the spread and cleaning up infected systems. Progent then started the work of rebuilding Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the customer's accounting and MRP software used Microsoft SQL, which needs Active Directory for security authorization to the information.
- Windows Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on needed applications. All Microsoft Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Data Files) on team workstations to recover mail messages. A not too old offline backup of the client's accounting software made them able to recover these essential services back available to users. Although a lot of work remained to recover totally from the Ryuk virus, essential systems were restored rapidly:
"For the most part, the production line operation showed little impact and we did not miss any customer shipments."
Over the following month critical milestones in the recovery project were accomplished through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the desktop computers were functioning as before the incident.
"So much of what occurred in the initial days is mostly a blur for me, but our team will not soon forget the dedication all of the team accomplished to help get our business back. I've utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."
A likely business disaster was evaded through the efforts of top-tier experts, a wide array of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been identified and blocked with modern security systems and recognized best practices, user education, and well thought out security procedures for data backup and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got over the initial fire. Everyone did an incredible job, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Thousand Oaks
For ransomware cleanup services in the Thousand Oaks metro area, phone Progent at 800-462-8800 or go to Contact Progent.