Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyberplague that poses an enterprise-level danger for organizations unprepared for an assault. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, as well as frequent as yet unnamed viruses, not only encrypt on-line data files but also infect all accessible system protection. Information replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can render automated restoration useless and effectively sets the network back to zero.
Recovering applications and data after a ransomware event becomes a race against time as the targeted organization fights to stop lateral movement and remove the ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to spread, assaults are often sprung at night, when successful penetrations are likely to take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent offers a range of help services for protecting Portland enterprises from ransomware attacks. Among these are staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning capabilities to automatically detect and extinguish new cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to decrypt all your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the mission-critical components of your IT environment. Absent the availability of essential system backups, this requires a wide range of IT skills, top notch project management, and the willingness to work 24x7 until the task is finished.
For twenty years, Progent has offered certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of expertise provides Progent the skills to quickly identify critical systems and organize the remaining parts of your Information Technology environment after a ransomware attack and rebuild them into an operational network.
Progent's ransomware team has powerful project management tools to coordinate the complex recovery process. Progent knows the urgency of acting swiftly and in unison with a customerís management and IT team members to prioritize tasks and to get the most important systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Response
A customer engaged Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting techniques leaked from the United States NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is one of the most profitable instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and hoping for good luck, but in the end reached out to Progent.
"I cannot say enough about the help Progent provided us throughout the most fearful period of (our) companyís life. We would have paid the cyber criminals except for the confidence the Progent group gave us. That you were able to get our e-mail system and essential applications back into operation quicker than a week was beyond my wildest dreams. Each consultant I talked with or e-mailed at Progent was absolutely committed on getting us back on-line and was working all day and night to bail us out."
Progent worked with the customer to rapidly understand and assign priority to the most important systems that had to be recovered in order to continue business functions:
To begin, Progent adhered to Anti-virus penetration mitigation best practices by stopping the spread and disinfecting systems. Progent then began the steps of restoring Active Directory, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP applications used Microsoft SQL, which depends on Active Directory for security authorization to the data.
- Windows Active Directory
- MRP System
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on needed servers. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover mail messages. A not too old offline backup of the customerís accounting/MRP systems made them able to recover these required programs back online for users. Although significant work was left to recover completely from the Ryuk attack, critical services were restored quickly:
"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer sales."
Over the following couple of weeks critical milestones in the restoration process were completed in tight cooperation between Progent engineers and the customer:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory modules were 100% restored.
- A new Palo Alto Networks 850 security appliance was installed.
- Nearly all of the user desktops and notebooks were fully operational.
"A huge amount of what occurred in the initial days is nearly entirely a haze for me, but my management will not forget the care all of your team accomplished to help get our business back. Iíve trusted Progent for the past 10 years, maybe more, and every time Progent has come through and delivered as promised. This situation was a testament to your capabilities."
A potential business extinction disaster was avoided due to hard-working professionals, a wide spectrum of IT skills, and close collaboration. Although in retrospect the ransomware incident described here could have been identified and disabled with modern cyber security systems and ISO/IEC 27001 best practices, user education, and properly executed security procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we made it through the initial push. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist