Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as more unnamed viruses, not only do encryption of online files but also infiltrate most configured system protection mechanisms. Information synchronized to the cloud can also be rendered useless. In a poorly architected environment, it can render any restoration hopeless and effectively knocks the network back to zero.
Restoring programs and data after a ransomware attack becomes a sprint against time as the victim fights to stop the spread and remove the ransomware and to resume business-critical activity. Due to the fact that ransomware requires time to spread, assaults are frequently launched during nights and weekends, when attacks may take longer to detect. This compounds the difficulty of promptly mobilizing and organizing a qualified response team.
Progent provides a range of solutions for protecting Madison businesses from ransomware events. These include user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat protection to detect and suppress zero-day malware assaults. Progent in addition offers the assistance of veteran ransomware recovery consultants with the talent and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Services
Following a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to re-install the mission-critical parts of your IT environment. Without the availability of full data backups, this requires a broad range of skills, well-coordinated project management, and the ability to work non-stop until the job is complete.
For two decades, Progent has offered certified expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to quickly identify important systems and organize the remaining parts of your Information Technology environment following a ransomware event and rebuild them into an operational network.
Progent's recovery team has powerful project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT team members to prioritize tasks and to get key services back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Restoration
A business hired Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, possibly using algorithms leaked from America's NSA organization. Ryuk targets specific companies with limited ability to sustain disruption and is among the most lucrative examples of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago and has about 500 workers. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end utilized Progent.
"I cannot tell you enough about the help Progent gave us throughout the most stressful time of (our) businesses life. We had little choice but to pay the cybercriminals if not for the confidence the Progent team provided us. That you were able to get our messaging and key servers back in less than five days was beyond my wildest dreams. Every single consultant I worked with or messaged at Progent was absolutely committed on getting our system up and was working non-stop to bail us out."
Progent worked together with the client to rapidly assess and assign priority to the mission critical services that had to be recovered in order to resume business functions:
To get going, Progent followed Anti-virus penetration response industry best practices by halting the spread and clearing up compromised systems. Progent then began the steps of restoring Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the businesses' MRP system leveraged Microsoft SQL, which needs Windows AD for authentication to the data.
- Active Directory
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished setup and storage recovery on critical servers. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Outlook Off-Line Folder Files) on staff workstations and laptops in order to recover email messages. A recent offline backup of the customer's accounting systems made them able to return these vital programs back online for users. Although major work remained to recover totally from the Ryuk event, critical systems were restored quickly:
"For the most part, the production operation did not miss a beat and we delivered all customer orders."
Over the following month critical milestones in the recovery project were completed in close cooperation between Progent engineers and the customer:
- Internal web applications were restored without losing any information.
- The MailStore Exchange Server with over 4 million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were completely restored.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user workstations were being used by staff.
"So much of what occurred those first few days is nearly entirely a haze for me, but our team will not soon forget the countless hours each and every one of the team put in to help get our company back. I've been working with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered. This situation was the most impressive ever."
A possible business-killing disaster was dodged through the efforts of results-oriented experts, a broad spectrum of technical expertise, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been prevented with modern cyber security technology and NIST Cybersecurity Framework best practices, user training, and well thought out incident response procedures for information backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get rested after we got through the most critical parts. Everyone did an impressive effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Madison
For ransomware system recovery services in the Madison metro area, phone Progent at 800-462-8800 or go to Contact Progent.