Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations unprepared for an assault. Different iterations of crypto-ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, along with more as yet unnamed newcomers, not only encrypt on-line files but also infect most configured system protection mechanisms. Data replicated to the cloud can also be rendered useless. In a poorly designed system, it can make automated restore operations impossible and basically knocks the network back to zero.
Retrieving programs and data following a crypto-ransomware attack becomes a race against the clock as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware requires time to replicate, penetrations are often sprung on weekends and holidays, when penetrations tend to take more time to discover. This compounds the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent has an assortment of solutions for protecting Valencia enterprises from crypto-ransomware penetrations. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning capabilities to quickly detect and quarantine new cyber threats. Progent also provides the assistance of expert crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as urgently as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the needed codes to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to setup from scratch the key parts of your Information Technology environment. Without access to complete information backups, this calls for a broad complement of skills, professional team management, and the ability to work 24x7 until the job is over.
For twenty years, Progent has provided expert IT services for companies across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably determine critical systems and re-organize the surviving components of your IT environment following a ransomware penetration and configure them into a functioning network.
Progent's security team of experts uses best of breed project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of working rapidly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to put critical applications back online as soon as possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A small business hired Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored criminal gangs, suspected of adopting algorithms leaked from Americaís National Security Agency. Ryuk targets specific businesses with limited room for operational disruption and is one of the most lucrative incarnations of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I canít speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts afforded us. That you were able to get our e-mail system and production servers back into operation faster than one week was something I thought impossible. Each consultant I talked with or messaged at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly assess and assign priority to the key areas that had to be addressed in order to resume business operations:
To start, Progent followed ransomware incident response industry best practices by halting the spread and clearing up compromised systems. Progent then started the steps of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft technology. Exchange email will not function without AD, and the customerís financials and MRP system used SQL Server, which requires Windows AD for authentication to the data.
- Active Directory
- Exchange Server
Within 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery on essential systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Folder Files) on various PCs in order to recover email information. A not too old offline backup of the businesses manufacturing systems made them able to return these required applications back available to users. Although major work was left to recover totally from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the assembly line operation survived unscathed and we delivered all customer deliverables."
Over the next few weeks critical milestones in the restoration project were achieved in close cooperation between Progent engineers and the client:
- In-house web applications were brought back up with no loss of data.
- The MailStore Server containing more than 4 million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the user desktops and notebooks were functioning as before the incident.
"So much of what happened that first week is nearly entirely a blur for me, but we will not soon forget the countless hours all of your team accomplished to help get our business back. Iíve trusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This event was a life saver."
A potential business-ending catastrophe was evaded by top-tier experts, a wide spectrum of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware incident described here should have been disabled with modern security systems and security best practices, staff training, and appropriate security procedures for information protection and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thank you for letting me get some sleep after we got past the most critical parts. All of you did an amazing effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist