Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an assault. Multiple generations of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause destruction. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with additional unnamed malware, not only do encryption of on-line data but also infiltrate all configured system protection. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make automatic restoration useless and effectively knocks the network back to square one.
Retrieving services and information after a ransomware event becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and remove the ransomware and to restore business-critical activity. Because ransomware requires time to move laterally, penetrations are often launched on weekends and holidays, when penetrations typically take longer to identify. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.
Progent makes available a range of help services for protecting Valencia enterprises from ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to identify and quarantine zero-day malware attacks. Progent in addition provides the assistance of veteran ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as soon as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the keys to unencrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to re-install the mission-critical parts of your Information Technology environment. Without the availability of full data backups, this requires a broad complement of IT skills, professional team management, and the ability to work non-stop until the job is over.
For two decades, Progent has made available professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to rapidly identify necessary systems and organize the remaining components of your Information Technology environment after a ransomware event and rebuild them into a functioning system.
Progent's ransomware team utilizes best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a customer's management and IT team members to assign priority to tasks and to put critical applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Attack Response
A small business engaged Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly using approaches exposed from America's NSA organization. Ryuk goes after specific organizations with limited room for disruption and is one of the most profitable versions of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the attack and were damaged. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
"I cannot say enough in regards to the expertise Progent gave us throughout the most stressful time of (our) company's survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. The fact that you could get our messaging and key servers back on-line sooner than a week was earth shattering. Every single staff member I worked with or communicated with at Progent was hell bent on getting us operational and was working breakneck pace to bail us out."
Progent worked hand in hand the customer to quickly identify and assign priority to the most important areas that had to be addressed to make it possible to continue company functions:
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and performing virus removal steps. Progent then began the steps of bringing back online Active Directory, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the client's accounting and MRP system utilized SQL Server, which requires Active Directory for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on needed applications. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover mail messages. A not too old off-line backup of the customer's accounting/ERP systems made it possible to return these vital applications back servicing users. Although major work remained to recover totally from the Ryuk virus, essential systems were restored rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."
Over the next few weeks critical milestones in the restoration process were made through close collaboration between Progent consultants and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the user workstations were operational.
"A huge amount of what transpired that first week is mostly a fog for me, but I will not forget the countless hours all of your team put in to give us our business back. I've been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This time was a testament to your capabilities."
A likely business extinction disaster was avoided through the efforts of top-tier professionals, a wide array of subject matter expertise, and close collaboration. Although in post mortem the ransomware virus incident described here should have been prevented with advanced security systems and recognized best practices, user and IT administrator training, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we got over the most critical parts. Everyone did an impressive effort, and if any of your team is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Valencia
For ransomware system recovery consulting services in the Valencia area, call Progent at 800-462-8800 or go to Contact Progent.