Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses unprepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still cause damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with additional as yet unnamed malware, not only encrypt on-line critical data but also infect most accessible system backups. Information replicated to the cloud can also be encrypted. In a vulnerable system, it can render automatic recovery useless and basically knocks the entire system back to zero.
Recovering programs and information after a ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement and cleanup the ransomware and to resume enterprise-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are often sprung during weekends and nights, when successful penetrations may take more time to uncover. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent provides a variety of solutions for protecting Morgan Hill organizations from ransomware penetrations. Among these are staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat defense to discover and extinguish day-zero malware assaults. Progent in addition can provide the services of seasoned crypto-ransomware recovery consultants with the track record and commitment to re-deploy a breached network as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that distant criminals will return the needed keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The fallback is to setup from scratch the essential parts of your Information Technology environment. Without the availability of complete data backups, this requires a wide complement of skill sets, professional team management, and the capability to work non-stop until the job is finished.
For twenty years, Progent has provided certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to quickly understand necessary systems and organize the surviving pieces of your IT environment following a crypto-ransomware event and rebuild them into a functioning system.
Progent's recovery team of experts utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of working quickly and together with a customer's management and Information Technology staff to assign priority to tasks and to put essential systems back on line as soon as possible.
Client Story: A Successful Ransomware Attack Recovery
A small business sought out Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state hackers, possibly adopting approaches exposed from America's National Security Agency. Ryuk goes after specific businesses with little ability to sustain disruption and is one of the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end made the decision to use Progent.
"I can't speak enough in regards to the care Progent gave us during the most stressful period of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. That you were able to get our messaging and production servers back into operation in less than 1 week was something I thought impossible. Each consultant I spoke to or messaged at Progent was absolutely committed on getting my company operational and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly determine and assign priority to the mission critical applications that had to be recovered to make it possible to restart company functions:
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and removing active viruses. Progent then started the work of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Exchange messaging will not function without Windows AD, and the businesses' financials and MRP software utilized Microsoft SQL, which requires Active Directory for security authorization to the database.
- Active Directory (AD)
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery on needed servers. All Microsoft Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover mail data. A recent off-line backup of the customer's financials/MRP software made it possible to return these vital programs back available to users. Although a large amount of work was left to recover completely from the Ryuk event, the most important systems were recovered rapidly:
"For the most part, the production operation survived unscathed and we made all customer shipments."
During the next couple of weeks important milestones in the recovery process were completed in tight cooperation between Progent consultants and the client:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Server containing more than four million archived emails was spun up and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user desktops and notebooks were being used by staff.
"Much of what was accomplished during the initial response is mostly a fog for me, but I will not soon forget the dedication all of the team accomplished to give us our business back. I've entrusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This event was a testament to your capabilities."
A probable enterprise-killing catastrophe was dodged with top-tier experts, a broad range of IT skills, and close teamwork. Although in retrospect the crypto-ransomware virus incident described here could have been identified and disabled with current cyber security solutions and security best practices, staff education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), thank you for letting me get some sleep after we made it past the initial fire. All of you did an amazing effort, and if any of your team is around the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Morgan Hill
For ransomware cleanup expertise in the Morgan Hill area, call Progent at 800-462-8800 or see Contact Progent.