Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an existential danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus frequent as yet unnamed malware, not only encrypt online data but also infiltrate many accessible system protection. Files synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can render any restoration useless and basically sets the datacenter back to zero.
Getting back online services and data following a crypto-ransomware attack becomes a sprint against time as the targeted business fights to contain the damage and remove the ransomware and to restore mission-critical operations. Because ransomware needs time to move laterally, penetrations are often sprung during nights and weekends, when attacks in many cases take more time to identify. This compounds the difficulty of quickly marshalling and coordinating a capable response team.
Progent provides an assortment of solutions for protecting Naples enterprises from crypto-ransomware penetrations. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with machine learning technology to intelligently discover and disable zero-day cyber attacks. Progent also can provide the services of veteran ransomware recovery professionals with the skills and commitment to restore a compromised environment as quickly as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the codes to decrypt any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the critical parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide complement of skill sets, well-coordinated project management, and the willingness to work non-stop until the recovery project is done.
For two decades, Progent has made available expert IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise gives Progent the capability to knowledgably ascertain necessary systems and consolidate the remaining components of your computer network system following a crypto-ransomware penetration and assemble them into an operational network.
Progent's ransomware group uses best of breed project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working rapidly and together with a client's management and IT staff to assign priority to tasks and to put key systems back online as fast as humanly possible.
Case Study: A Successful Ransomware Attack Restoration
A small business hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored hackers, suspected of using technology leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no room for disruption and is among the most lucrative examples of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (more than $200K) and praying for good luck, but in the end reached out to Progent.
"I cannot tell you enough in regards to the care Progent gave us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our e-mail system and critical servers back in less than 1 week was amazing. Each expert I talked with or communicated with at Progent was absolutely committed on getting us back on-line and was working all day and night on our behalf."
Progent worked hand in hand the client to quickly assess and assign priority to the most important systems that had to be restored in order to resume departmental operations:
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the process of restoring Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís MRP system used Microsoft SQL Server, which requires Active Directory services for access to the data.
- Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then initiated reinstallations and storage recovery on needed applications. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Data Files) on team desktop computers to recover mail information. A not too old offline backup of the client's accounting software made them able to restore these vital programs back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk event, core systems were recovered quickly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer shipments."
Throughout the next month important milestones in the recovery process were achieved through close collaboration between Progent engineers and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Server with over four million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control modules were fully functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Ninety percent of the user PCs were operational.
"Much of what was accomplished during the initial response is nearly entirely a haze for me, but we will not soon forget the care each of your team put in to help get our business back. I have entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."
A likely business extinction disaster was dodged with hard-working professionals, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus attack described here could have been identified and blocked with up-to-date security technology solutions and recognized best practices, team training, and appropriate security procedures for backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get some sleep after we made it past the most critical parts. Everyone did an incredible job, and if any of your guys is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist