Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that poses an existential threat for businesses unprepared for an attack. Multiple generations of ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and still inflict harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus daily unnamed viruses, not only do encryption of on-line data but also infiltrate many configured system protection mechanisms. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected data protection solution, this can render automatic restore operations impossible and basically knocks the entire system back to zero.
Getting back applications and information following a ransomware outage becomes a sprint against the clock as the targeted organization struggles to stop the spread and remove the ransomware and to restore mission-critical operations. Because ransomware takes time to move laterally, assaults are frequently sprung during nights and weekends, when successful penetrations are likely to take longer to recognize. This compounds the difficulty of rapidly marshalling and orchestrating a capable mitigation team.
Progent has a range of solutions for securing Morgan Hill businesses from ransomware penetrations. Among these are staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with AI capabilities to quickly discover and quarantine new threats. Progent also can provide the assistance of seasoned crypto-ransomware recovery engineers with the skills and commitment to restore a breached environment as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed codes to decrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the vital components of your Information Technology environment. Without access to full system backups, this requires a wide complement of skills, professional team management, and the ability to work continuously until the job is completed.
For decades, Progent has provided expert Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the capability to efficiently ascertain important systems and integrate the remaining parts of your IT system after a ransomware event and configure them into an operational system.
Progent's recovery team deploys powerful project management tools to coordinate the complicated restoration process. Progent understands the importance of working rapidly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key services back online as soon as humanly possible.
Customer Story: A Successful Ransomware Incident Response
A customer hired Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, suspected of adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most lucrative iterations of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with about 500 workers. The Ryuk event had disabled all business operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom (more than $200K) and praying for the best, but in the end brought in Progent.
"I cannot thank you enough about the expertise Progent gave us throughout the most stressful period of (our) companyís existence. We would have paid the criminal gangs if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and production applications back on-line quicker than one week was beyond my wildest dreams. Each consultant I spoke to or messaged at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly assess and assign priority to the critical applications that had to be addressed in order to restart company operations:
To start, Progent followed ransomware incident response industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the steps of bringing back online Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the customerís accounting and MRP applications leveraged SQL Server, which depends on Windows AD for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of essential systems. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover mail data. A recent off-line backup of the businesses financials/MRP systems made it possible to recover these essential programs back servicing users. Although a lot of work was left to recover fully from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we delivered all customer sales."
Throughout the next couple of weeks critical milestones in the recovery project were completed through tight cooperation between Progent engineers and the client:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Server containing more than 4 million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely recovered.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Most of the user desktops and notebooks were back into operation.
"A huge amount of what was accomplished that first week is nearly entirely a haze for me, but my team will not soon forget the commitment all of you accomplished to help get our business back. Iíve trusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This event was a stunning achievement."
A likely company-ending disaster was avoided due to hard-working professionals, a wide spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident detailed here should have been shut down with advanced security technology and best practices, team training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has substantial experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get rested after we made it over the most critical parts. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist