Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as frequent as yet unnamed malware, not only encrypt online data files but also infect most configured system restores and backups. Files replicated to the cloud can also be rendered useless. In a poorly designed system, it can make automatic restore operations useless and basically knocks the datacenter back to square one.
Recovering programs and information following a ransomware event becomes a race against the clock as the victim fights to contain and clear the virus and to restore mission-critical operations. Because ransomware takes time to replicate, penetrations are often launched during nights and weekends, when successful attacks typically take longer to notice. This compounds the difficulty of promptly mobilizing and coordinating an experienced mitigation team.
Progent makes available an assortment of support services for protecting Miami Beach organizations from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with AI technology to rapidly discover and suppress new cyber attacks. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to piece back together the key components of your IT environment. Absent access to essential data backups, this calls for a broad range of skill sets, professional team management, and the willingness to work non-stop until the recovery project is complete.
For twenty years, Progent has made available expert IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently understand critical systems and integrate the surviving parts of your Information Technology environment following a ransomware penetration and configure them into a functioning network.
Progent's security team has powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of acting quickly and together with a client's management and IT resources to assign priority to tasks and to get key services back online as soon as possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A business escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, suspected of using techniques exposed from the United States National Security Agency. Ryuk seeks specific organizations with little tolerance for operational disruption and is among the most lucrative incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.
"I can't say enough about the expertise Progent provided us during the most fearful time of (our) businesses existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you could get our messaging and critical servers back faster than 1 week was something I thought impossible. Every single expert I got help from or texted at Progent was absolutely committed on getting our system up and was working 24/7 to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the key applications that had to be addressed to make it possible to restart company operations:
To begin, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the work of recovering Microsoft AD, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for access to the data.
- Windows Active Directory
- Electronic Messaging
Within 2 days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery of mission critical applications. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Folder Files) on team desktop computers in order to recover email data. A recent offline backup of the client's manufacturing systems made them able to restore these essential applications back available to users. Although a large amount of work was left to recover completely from the Ryuk virus, core systems were recovered rapidly:
"For the most part, the manufacturing operation showed little impact and we made all customer orders."
During the next couple of weeks important milestones in the recovery process were made through tight cooperation between Progent team members and the client:
- Internal web sites were brought back up with no loss of information.
- The MailStore Exchange Server containing more than four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were 100% recovered.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the desktops and laptops were operational.
"So much of what occurred in the early hours is mostly a haze for me, but we will not forget the care each and every one of you accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A possible business catastrophe was dodged through the efforts of top-tier experts, a wide range of IT skills, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack detailed here could have been identified and blocked with current security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for backup and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for making it so I could get some sleep after we got over the initial push. Everyone did an impressive job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Miami Beach
For ransomware system restoration consulting services in the Miami Beach area, phone Progent at 800-462-8800 or visit Contact Progent.