Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that presents an existential danger for organizations unprepared for an assault. Different versions of crypto-ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus frequent as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate all available system backups. Data replicated to cloud environments can also be encrypted. In a poorly architected data protection solution, this can render any recovery hopeless and basically sets the entire system back to square one.
Recovering services and data following a crypto-ransomware intrusion becomes a sprint against time as the targeted business struggles to contain and cleanup the ransomware and to restore business-critical operations. Because ransomware takes time to replicate, penetrations are often launched during nights and weekends, when penetrations are likely to take more time to detect. This multiplies the difficulty of promptly mobilizing and organizing a capable response team.
Progent offers a variety of help services for securing Fresno organizations from crypto-ransomware attacks. These include user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to identify and quarantine day-zero malware attacks. Progent in addition offers the services of veteran ransomware recovery professionals with the track record and commitment to restore a compromised environment as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decipher all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The alternative is to re-install the mission-critical parts of your IT environment. Without the availability of complete data backups, this requires a broad complement of skills, top notch project management, and the willingness to work continuously until the job is done.
For two decades, Progent has offered expert IT services for companies throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly ascertain necessary systems and consolidate the remaining pieces of your IT system following a ransomware penetration and rebuild them into a functioning system.
Progent's recovery team deploys powerful project management applications to coordinate the complicated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get key services back on-line as soon as possible.
Business Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business contacted Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, suspected of adopting technology leaked from America's National Security Agency. Ryuk goes after specific businesses with little or no ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and praying for the best, but ultimately brought in Progent.
"I cannot speak enough about the expertise Progent provided us throughout the most fearful period of (our) company's survival. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and essential servers back online sooner than five days was something I thought impossible. Each expert I spoke to or communicated with at Progent was urgently focused on getting us back on-line and was working at all hours on our behalf."
Progent worked together with the client to quickly determine and prioritize the key areas that needed to be addressed in order to continue business functions:
To start, Progent adhered to ransomware incident mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the steps of recovering Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the customer's accounting and MRP software leveraged Microsoft SQL, which requires Windows AD for access to the database.
- Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery on critical applications. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Folder Files) on team desktop computers in order to recover email data. A recent offline backup of the client's accounting/MRP systems made it possible to return these required services back online. Although a large amount of work still had to be done to recover totally from the Ryuk event, core services were returned to operations quickly:
"For the most part, the production line operation never missed a beat and we did not miss any customer deliverables."
Throughout the following couple of weeks critical milestones in the recovery project were made through close collaboration between Progent team members and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were fully functional.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the desktop computers were fully operational.
"A lot of what went on that first week is nearly entirely a blur for me, but we will not forget the countless hours each and every one of you accomplished to help get our company back. I've been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."
A potential enterprise-killing disaster was dodged through the efforts of top-tier experts, a wide range of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware penetration described here would have been blocked with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and properly executed security procedures for data protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for making it so I could get rested after we made it past the first week. All of you did an amazing effort, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Fresno
For ransomware system recovery consulting services in the Fresno area, call Progent at 800-462-8800 or visit Contact Progent.