Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an existential threat for organizations poorly prepared for an attack. Versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as additional as yet unnamed newcomers, not only encrypt online data but also infiltrate all configured system backups. Data replicated to the cloud can also be ransomed. In a vulnerable system, it can render automated recovery impossible and basically sets the network back to square one.
Recovering applications and information following a crypto-ransomware outage becomes a race against the clock as the targeted business struggles to contain and remove the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware requires time to move laterally, penetrations are usually launched on weekends and holidays, when penetrations are likely to take more time to uncover. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent provides a range of support services for protecting Miami Beach enterprises from ransomware events. Among these are team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to identify and suppress zero-day modern malware assaults. Progent in addition provides the assistance of experienced ransomware recovery professionals with the track record and commitment to reconstruct a breached system as urgently as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to re-install the mission-critical elements of your Information Technology environment. Without access to full system backups, this requires a broad complement of skills, top notch project management, and the capability to work continuously until the task is completed.
For twenty years, Progent has provided expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly identify necessary systems and re-organize the remaining components of your network system after a ransomware event and configure them into a functioning system.
Progent's security group utilizes state-of-the-art project management systems to orchestrate the complex recovery process. Progent knows the importance of acting swiftly and in concert with a client's management and IT staff to prioritize tasks and to put critical applications back on-line as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A customer escalated to Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been developed by North Korean state cybercriminals, possibly using technology leaked from the United States National Security Agency. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most profitable iterations of ransomware viruses. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with around 500 staff members. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but in the end made the decision to use Progent.
"I cannot thank you enough about the support Progent gave us throughout the most critical time of (our) company's life. We would have paid the cyber criminals if it wasn't for the confidence the Progent group provided us. That you could get our messaging and key applications back sooner than five days was beyond my wildest dreams. Every single expert I interacted with or e-mailed at Progent was urgently focused on getting my company operational and was working all day and night to bail us out."
Progent worked together with the client to quickly assess and prioritize the critical services that had to be addressed to make it possible to continue business functions:
To begin, Progent followed ransomware event mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the work of rebuilding Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the client's MRP software used SQL Server, which requires Active Directory for authentication to the information.
- Microsoft Active Directory
- Exchange Server
Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then initiated reinstallations and storage recovery on needed systems. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to collect local OST files (Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover email messages. A not too old offline backup of the customer's accounting systems made it possible to recover these required programs back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, essential services were recovered rapidly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer sales."
Throughout the next month critical milestones in the recovery project were achieved through tight collaboration between Progent team members and the customer:
- In-house web applications were restored without losing any data.
- The MailStore Exchange Server with over four million historical messages was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the user desktops were being used by staff.
"So much of what occurred in the initial days is nearly entirely a blur for me, but I will not soon forget the countless hours all of the team put in to help get our business back. I've utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."
A probable business-ending disaster was averted through the efforts of hard-working professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the ransomware penetration described here should have been identified and disabled with modern cyber security technology solutions and security best practices, user and IT administrator education, and properly executed incident response procedures for information backup and proper patching controls, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for allowing me to get rested after we made it past the first week. All of you did an amazing job, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Miami Beach
For ransomware system restoration consulting services in the Miami Beach area, phone Progent at 800-462-8800 or go to Contact Progent.