Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus daily as yet unnamed malware, not only encrypt online data files but also infect many accessible system restores and backups. Information synchronized to the cloud can also be ransomed. In a poorly designed environment, this can render any restoration hopeless and effectively knocks the entire system back to zero.
Getting back applications and information after a crypto-ransomware event becomes a sprint against the clock as the victim struggles to stop the spread and clear the ransomware and to restore mission-critical operations. Since ransomware needs time to move laterally, attacks are often sprung at night, when attacks tend to take longer to uncover. This multiplies the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent makes available a range of solutions for protecting Valencia organizations from ransomware attacks. These include user training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities to quickly identify and extinguish new cyber threats. Progent also can provide the assistance of experienced crypto-ransomware recovery consultants with the track record and perseverance to rebuild a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the codes to decipher any of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to re-install the critical elements of your IT environment. Absent access to essential system backups, this calls for a wide range of IT skills, well-coordinated project management, and the willingness to work continuously until the job is complete.
For twenty years, Progent has offered professional IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand important systems and organize the remaining pieces of your IT environment after a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's ransomware group uses top notch project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and in concert with a client's management and Information Technology staff to prioritize tasks and to get the most important services back online as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A client hired Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, suspected of using techniques exposed from the United States National Security Agency. Ryuk goes after specific companies with little or no room for disruption and is one of the most profitable versions of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with around 500 employees. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.
"I cannot speak enough in regards to the care Progent gave us during the most stressful time of (our) companyís survival. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team gave us. That you were able to get our e-mail and production applications back into operation quicker than a week was earth shattering. Every single person I talked with or texted at Progent was absolutely committed on getting us operational and was working at all hours on our behalf."
Progent worked with the customer to rapidly understand and prioritize the essential elements that needed to be recovered to make it possible to restart company operations:
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by stopping the spread and performing virus removal steps. Progent then initiated the work of recovering Windows Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the businessesí MRP applications leveraged SQL Server, which needs Active Directory for authentication to the database.
- Active Directory
- Microsoft Exchange
Within 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on mission critical servers. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on team workstations in order to recover mail information. A recent off-line backup of the businesses accounting/MRP software made them able to return these required services back on-line. Although a large amount of work was left to recover totally from the Ryuk virus, essential services were recovered quickly:
"For the most part, the assembly line operation survived unscathed and we produced all customer deliverables."
During the next few weeks key milestones in the restoration process were accomplished in close collaboration between Progent consultants and the customer:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were completely operational.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the user desktops and notebooks were fully operational.
"So much of what happened those first few days is mostly a fog for me, but I will not forget the countless hours each and every one of you accomplished to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
A potential business disaster was averted by results-oriented experts, a broad array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware attack detailed here would have been disabled with current security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed security procedures for information protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we got through the most critical parts. All of you did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist