Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still inflict havoc. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, along with frequent unnamed viruses, not only do encryption of online critical data but also infiltrate most accessible system protection. Files replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, it can render automatic restore operations hopeless and effectively knocks the datacenter back to zero.
Recovering services and data after a crypto-ransomware intrusion becomes a race against time as the targeted business tries its best to contain and eradicate the crypto-ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware requires time to replicate, attacks are often sprung during nights and weekends, when successful penetrations tend to take more time to identify. This multiplies the difficulty of rapidly assembling and organizing a capable mitigation team.
Progent has an assortment of solutions for securing Valencia organizations from ransomware events. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning technology to quickly identify and disable zero-day threats. Progent also can provide the services of experienced crypto-ransomware recovery professionals with the track record and commitment to rebuild a compromised network as urgently as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to piece back together the critical components of your Information Technology environment. Without access to full data backups, this calls for a wide range of IT skills, professional project management, and the ability to work continuously until the job is complete.
For decades, Progent has made available certified expert Information Technology services for businesses across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience provides Progent the capability to efficiently understand necessary systems and organize the surviving components of your IT environment after a ransomware penetration and assemble them into an operational system.
Progent's recovery team of experts deploys top notch project management systems to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and together with a customer's management and Information Technology resources to prioritize tasks and to put key services back on line as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A small business contacted Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, possibly using techniques exposed from the U.S. NSA organization. Ryuk attacks specific businesses with little tolerance for operational disruption and is among the most lucrative examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the care Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the Hackers except for the confidence the Progent group gave us. That you could get our e-mail system and key applications back on-line faster than a week was earth shattering. Each expert I spoke to or communicated with at Progent was totally committed on getting our system up and was working at all hours to bail us out."
Progent worked together with the client to quickly assess and prioritize the essential applications that needed to be restored in order to resume departmental functions:
To begin, Progent followed Anti-virus incident response best practices by stopping the spread and cleaning up infected systems. Progent then started the task of recovering Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the businesses' financials and MRP system leveraged SQL Server, which depends on Active Directory services for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then completed setup and hard drive recovery on needed servers. All Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers and laptops to recover mail information. A not too old offline backup of the customer's accounting/ERP systems made it possible to recover these required applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk damage, essential systems were restored rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer deliverables."
Over the next couple of weeks critical milestones in the recovery process were achieved in close cooperation between Progent team members and the customer:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% functional.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the user desktops and notebooks were being used by staff.
"Much of what happened that first week is mostly a fog for me, but I will not soon forget the commitment each of you put in to help get our business back. I've trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This situation was the most impressive ever."
A likely business catastrophe was averted due to results-oriented professionals, a broad array of IT skills, and tight collaboration. Although in post mortem the ransomware attack described here should have been identified and stopped with modern security systems and best practices, staff training, and appropriate incident response procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we made it over the first week. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Valencia
For ransomware cleanup expertise in the Valencia metro area, phone Progent at 800-462-8800 or go to Contact Progent.