Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyberplague that presents an existential threat for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as additional unnamed malware, not only do encryption of on-line information but also infiltrate many configured system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can render automated recovery hopeless and basically sets the network back to square one.
Recovering services and data after a crypto-ransomware intrusion becomes a race against the clock as the targeted business fights to stop lateral movement and clear the virus and to restore enterprise-critical operations. Since crypto-ransomware needs time to spread, penetrations are often launched during nights and weekends, when successful penetrations typically take longer to identify. This multiplies the difficulty of promptly assembling and organizing an experienced response team.
Progent has an assortment of services for securing Fresno organizations from crypto-ransomware events. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with machine learning technology to rapidly discover and disable zero-day cyber threats. Progent also provides the services of experienced crypto-ransomware recovery engineers with the skills and commitment to rebuild a breached environment as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to decipher any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The fallback is to re-install the essential parts of your IT environment. Absent the availability of complete system backups, this calls for a broad complement of skills, top notch team management, and the willingness to work continuously until the recovery project is complete.
For two decades, Progent has offered professional IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise gives Progent the skills to quickly understand necessary systems and re-organize the surviving components of your network system following a crypto-ransomware penetration and configure them into a functioning system.
Progent's ransomware group utilizes best of breed project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of acting swiftly and together with a client's management and Information Technology staff to assign priority to tasks and to put the most important services back on line as fast as humanly possible.
Client Story: A Successful Ransomware Intrusion Restoration
A customer hired Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, suspected of adopting strategies exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most lucrative incarnations of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has around 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and praying for the best, but in the end called Progent.
"I cannot thank you enough in regards to the care Progent gave us during the most critical period of (our) companyís survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our messaging and critical applications back in less than five days was beyond my wildest dreams. Each consultant I talked with or messaged at Progent was laser focused on getting us back on-line and was working 24/7 on our behalf."
Progent worked with the customer to quickly determine and assign priority to the critical areas that had to be addressed in order to resume departmental operations:
To start, Progent followed ransomware event mitigation best practices by halting the spread and clearing up compromised systems. Progent then began the task of restoring Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Windows AD, and the businessesí MRP applications utilized SQL Server, which depends on Active Directory for authentication to the data.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then accomplished setup and storage recovery on mission critical systems. All Microsoft Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Folder Files) on team PCs to recover mail messages. A recent off-line backup of the client's financials/ERP systems made it possible to recover these required applications back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk event, critical services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we made all customer orders."
During the next few weeks critical milestones in the recovery project were achieved through close collaboration between Progent engineers and the customer:
- In-house web sites were brought back up without losing any data.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the desktops and laptops were being used by staff.
"A lot of what was accomplished during the initial response is nearly entirely a fog for me, but I will not soon forget the commitment each and every one of your team accomplished to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a life saver."
A potential company-ending catastrophe was evaded through the efforts of dedicated professionals, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware attack detailed here could have been identified and stopped with up-to-date cyber security technology and ISO/IEC 27001 best practices, staff education, and appropriate security procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we got over the initial push. Everyone did an incredible job, and if any of your guys is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist