Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses unprepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make any restore operations impossible and basically sets the network back to zero.
Getting back applications and information following a ransomware attack becomes a race against the clock as the targeted organization struggles to contain and remove the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, penetrations are frequently sprung at night, when successful attacks may take more time to discover. This compounds the difficulty of quickly mobilizing and coordinating an experienced response team.
Progent provides an assortment of services for protecting Austin businesses from ransomware attacks. Among these are user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence technology to quickly identify and extinguish day-zero threats. Progent also offers the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to re-install the key parts of your Information Technology environment. Without access to complete data backups, this calls for a broad range of IT skills, top notch team management, and the capability to work continuously until the job is done.
For decades, Progent has provided expert Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the skills to quickly determine important systems and integrate the remaining pieces of your IT system after a ransomware attack and assemble them into a functioning network.
Progent's recovery team uses state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent understands the importance of working quickly and together with a client's management and IT staff to prioritize tasks and to get key systems back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of using algorithms exposed from the United States National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is among the most profitable instances of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 employees. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but in the end reached out to Progent.
"I canít thank you enough in regards to the support Progent provided us during the most stressful period of (our) companyís existence. We may have had to pay the criminal gangs except for the confidence the Progent group provided us. The fact that you could get our messaging and essential servers back into operation in less than five days was amazing. Each expert I talked with or texted at Progent was hell bent on getting us restored and was working day and night to bail us out."
Progent worked together with the client to quickly assess and prioritize the essential areas that had to be restored to make it possible to continue business functions:
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of restoring Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the customerís financials and MRP software leveraged Microsoft SQL, which needs Windows AD for security authorization to the information.
- Active Directory
- Microsoft Exchange Server
- MRP System
Within 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery of critical systems. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Offline Folder Files) on team workstations and laptops to recover mail information. A not too old offline backup of the businesses accounting/MRP software made it possible to return these required services back online. Although significant work still had to be done to recover totally from the Ryuk event, core services were restored rapidly:
"For the most part, the production line operation never missed a beat and we delivered all customer sales."
During the next few weeks important milestones in the restoration project were completed through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Exchange Server containing more than four million archived emails was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the desktops and laptops were being used by staff.
"Much of what happened those first few days is nearly entirely a blur for me, but our team will not forget the countless hours each and every one of you put in to give us our business back. Iíve been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A potential business-ending disaster was avoided due to hard-working professionals, a wide range of IT skills, and tight collaboration. Although in post mortem the ransomware virus attack detailed here could have been identified and blocked with up-to-date cyber security systems and ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for data protection and applying software patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got through the initial push. All of you did an incredible effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist