Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses vulnerable to an assault. Versions of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more unnamed viruses, not only encrypt on-line information but also infect many accessible system backup. Information synched to cloud environments can also be ransomed. In a vulnerable data protection solution, this can render any restoration impossible and basically sets the network back to zero.
Getting back on-line services and data following a ransomware intrusion becomes a race against time as the targeted business tries its best to stop lateral movement and remove the ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware takes time to spread, assaults are usually sprung on weekends, when successful penetrations are likely to take more time to discover. This multiplies the difficulty of quickly assembling and coordinating a qualified mitigation team.
Progent makes available a variety of help services for protecting Augusta-Richmond County enterprises from crypto-ransomware attacks. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to discover and disable day-zero modern malware assaults. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a compromised network as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed codes to decipher any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The alternative is to piece back together the vital elements of your Information Technology environment. Without access to full data backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the recovery project is over.
For twenty years, Progent has offered professional Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to quickly understand necessary systems and consolidate the remaining components of your network environment after a crypto-ransomware attack and assemble them into a functioning system.
Progent's recovery team of experts has powerful project management tools to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and together with a customer's management and IT staff to prioritize tasks and to put the most important systems back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Recovery
A customer engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, suspected of adopting strategies leaked from the United States NSA organization. Ryuk targets specific organizations with little or no tolerance for operational disruption and is one of the most lucrative incarnations of ransomware malware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area with around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.
"I cannot thank you enough in regards to the care Progent gave us during the most stressful time of (our) company's survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. That you were able to get our messaging and production applications back quicker than 1 week was something I thought impossible. Each expert I interacted with or e-mailed at Progent was hell bent on getting our system up and was working non-stop on our behalf."
Progent worked hand in hand the customer to quickly assess and assign priority to the most important services that needed to be restored to make it possible to restart business functions:
To begin, Progent followed Anti-virus incident mitigation industry best practices by isolating and clearing infected systems. Progent then started the work of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the customer's financials and MRP software leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the data.
- Active Directory (AD)
- MRP System
Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then assisted with rebuilding and storage recovery on critical applications. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Data Files) on staff PCs to recover mail messages. A recent off-line backup of the client's manufacturing software made it possible to restore these essential services back online. Although major work still had to be done to recover totally from the Ryuk attack, core systems were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer orders."
Over the following couple of weeks key milestones in the recovery process were made through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the user desktops and notebooks were functioning as before the incident.
"So much of what went on that first week is mostly a blur for me, but my team will not soon forget the urgency each of the team accomplished to help get our business back. I've trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This event was the most impressive ever."
A likely enterprise-killing catastrophe was averted due to hard-working professionals, a broad array of IT skills, and close teamwork. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been identified and prevented with up-to-date cyber security systems and recognized best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), thanks very much for allowing me to get rested after we got past the initial fire. All of you did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Augusta-Richmond County
For ransomware system restoration services in the Augusta-Richmond County area, call Progent at 800-462-8800 or go to Contact Progent.