Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus daily unnamed malware, not only do encryption of online critical data but also infiltrate all accessible system protection. Data synched to the cloud can also be corrupted. In a poorly designed system, it can render automatic restore operations useless and effectively sets the datacenter back to zero.
Getting back on-line applications and data following a crypto-ransomware attack becomes a race against the clock as the targeted organization struggles to contain and cleanup the crypto-ransomware and to restore business-critical operations. Because crypto-ransomware needs time to move laterally, attacks are frequently launched on weekends and holidays, when successful attacks are likely to take more time to detect. This compounds the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent makes available a variety of solutions for securing Naples enterprises from ransomware events. These include team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence capabilities to automatically detect and extinguish new threats. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the talent and commitment to rebuild a breached system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to decrypt any of your files. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The alternative is to setup from scratch the essential components of your IT environment. Without the availability of complete data backups, this calls for a wide range of skills, well-coordinated team management, and the capability to work non-stop until the recovery project is complete.
For two decades, Progent has made available certified expert IT services for businesses across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise gives Progent the skills to efficiently ascertain necessary systems and re-organize the remaining components of your IT system after a crypto-ransomware event and configure them into a functioning system.
Progent's security team utilizes top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT resources to assign priority to tasks and to get the most important systems back on line as soon as possible.
Client Story: A Successful Ransomware Virus Recovery
A customer contacted Progent after their network system was attacked by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored criminal gangs, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk attacks specific businesses with little or no room for disruption and is one of the most lucrative examples of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with around 500 employees. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately utilized Progent.
"I cannot say enough about the expertise Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our messaging and key applications back on-line in less than five days was amazing. Each staff member I spoke to or texted at Progent was amazingly focused on getting our company operational and was working at all hours to bail us out."
Progent worked hand in hand the client to quickly assess and prioritize the mission critical elements that needed to be recovered to make it possible to continue company operations:
To start, Progent adhered to Anti-virus incident response industry best practices by halting the spread and removing active viruses. Progent then initiated the process of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft technology. Exchange email will not function without Active Directory, and the client's financials and MRP system leveraged Microsoft SQL Server, which needs Windows AD for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange Email
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery on key applications. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Outlook Email Off-Line Folder Files) on user workstations to recover email messages. A not too old offline backup of the customerís financials/MRP systems made them able to return these required services back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we delivered all customer orders."
Throughout the following couple of weeks key milestones in the recovery project were accomplished through close collaboration between Progent team members and the customer:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Server with over four million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were completely operational.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user desktops were fully operational.
"So much of what was accomplished in the initial days is mostly a haze for me, but our team will not forget the care all of your team accomplished to help get our company back. Iíve trusted Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This event was a testament to your capabilities."
A potential company-ending disaster was evaded through the efforts of top-tier experts, a broad spectrum of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here could have been stopped with up-to-date cyber security solutions and security best practices, staff training, and well designed security procedures for data protection and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thank you for making it so I could get rested after we got through the most critical parts. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist