Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for organizations vulnerable to an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed viruses, not only do encryption of on-line data files but also infect most available system protection. Data synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can render any restore operations hopeless and basically knocks the datacenter back to zero.
Getting back online programs and data after a ransomware intrusion becomes a sprint against time as the targeted business fights to stop the spread and cleanup the virus and to restore mission-critical operations. Due to the fact that ransomware takes time to replicate, assaults are frequently sprung during weekends and nights, when penetrations tend to take longer to uncover. This multiplies the difficulty of promptly mobilizing and coordinating an experienced mitigation team.
Progent provides a range of support services for protecting Portland organizations from ransomware events. Among these are team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat protection to detect and quarantine zero-day malware attacks. Progent also can provide the services of veteran ransomware recovery consultants with the skills and commitment to reconstruct a compromised system as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to piece back together the critical elements of your IT environment. Without access to full data backups, this calls for a wide complement of skills, well-coordinated project management, and the willingness to work non-stop until the job is complete.
For two decades, Progent has made available professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience provides Progent the ability to quickly ascertain necessary systems and re-organize the surviving parts of your Information Technology system following a crypto-ransomware penetration and configure them into an operational system.
Progent's ransomware team deploys powerful project management systems to coordinate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to get critical applications back on line as fast as possible.
Client Story: A Successful Crypto-Ransomware Intrusion Restoration
A client contacted Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored criminal gangs, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no tolerance for operational disruption and is one of the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough about the care Progent gave us throughout the most stressful period of (our) businesses life. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent group gave us. That you could get our messaging and production applications back quicker than a week was beyond my wildest dreams. Every single consultant I got help from or messaged at Progent was hell bent on getting our system up and was working 24/7 to bail us out."
Progent worked with the customer to quickly determine and assign priority to the essential systems that had to be addressed in order to continue departmental operations:
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by isolating and disinfecting systems. Progent then started the task of restoring Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without AD, and the customer's accounting and MRP software leveraged Microsoft SQL Server, which requires Active Directory for authentication to the data.
- Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of mission critical systems. All Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Data Files) on various desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the businesses accounting software made them able to recover these vital programs back on-line. Although a lot of work was left to recover fully from the Ryuk damage, core services were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we did not miss any customer orders."
Over the next few weeks important milestones in the restoration project were made through tight cooperation between Progent engineers and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory functions were completely operational.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user workstations were functioning as before the incident.
"So much of what happened in the early hours is nearly entirely a blur for me, but my management will not forget the countless hours all of you accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."
A probable business extinction disaster was evaded by hard-working experts, a wide array of knowledge, and tight teamwork. Although in retrospect the ransomware penetration detailed here could have been stopped with current cyber security solutions and best practices, team training, and appropriate security procedures for information backup and applying software patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get some sleep after we made it past the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Portland
For ransomware system recovery expertise in the Portland area, call Progent at 800-462-8800 or visit Contact Progent.