Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses vulnerable to an attack. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with daily as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any accessible system backups. Files replicated to the cloud can also be rendered useless. In a poorly designed system, it can make automated restoration hopeless and effectively knocks the datacenter back to zero.
Recovering applications and information following a ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical activity. Since crypto-ransomware needs time to replicate, penetrations are often sprung during nights and weekends, when successful penetrations typically take more time to identify. This compounds the difficulty of quickly marshalling and organizing a knowledgeable response team.
Progent offers a variety of services for protecting Naples businesses from ransomware penetrations. These include user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with machine learning capabilities to quickly detect and extinguish new threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery engineers with the track record and commitment to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decipher any of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The other path is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of skill sets, professional team management, and the ability to work 24x7 until the recovery project is over.
For two decades, Progent has offered professional IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience affords Progent the capability to efficiently ascertain necessary systems and integrate the remaining pieces of your computer network environment after a crypto-ransomware penetration and assemble them into a functioning network.
Progent's recovery team of experts deploys best of breed project management systems to coordinate the sophisticated restoration process. Progent knows the importance of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to get key services back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean government sponsored hackers, suspected of adopting approaches exposed from the U.S. NSA organization. Ryuk targets specific companies with little room for disruption and is one of the most profitable instances of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and praying for the best, but in the end engaged Progent.
"I cannot say enough about the help Progent provided us throughout the most critical time of (our) companyís life. We may have had to pay the hackers behind this attack if it wasnít for the confidence the Progent team gave us. The fact that you could get our e-mail system and key servers back on-line faster than a week was beyond my wildest dreams. Each expert I worked with or communicated with at Progent was hell bent on getting us working again and was working 24/7 to bail us out."
Progent worked together with the customer to quickly assess and prioritize the mission critical applications that had to be recovered in order to resume business operations:
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by halting the spread and clearing infected systems. Progent then started the steps of bringing back online Active Directory, the core of enterprise networks built upon Microsoft technology. Exchange email will not function without Active Directory, and the businessesí MRP software used Microsoft SQL, which requires Active Directory services for security authorization to the databases.
- Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of key applications. All Exchange data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email messages. A recent off-line backup of the customerís accounting systems made it possible to restore these required programs back servicing users. Although significant work needed to be completed to recover completely from the Ryuk event, critical services were recovered quickly:
"For the most part, the production manufacturing operation showed little impact and we delivered all customer orders."
Over the following month critical milestones in the recovery process were achieved in tight cooperation between Progent team members and the customer:
- Internal web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were 100 percent recovered.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the user desktops and notebooks were operational.
"A lot of what was accomplished that first week is nearly entirely a blur for me, but our team will not soon forget the countless hours each and every one of the team put in to help get our company back. Iíve utilized Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
A likely business extinction disaster was averted due to hard-working professionals, a broad array of IT skills, and tight collaboration. Although in post mortem the ransomware virus incident described here could have been stopped with modern cyber security systems and recognized best practices, staff education, and appropriate incident response procedures for data protection and applying software patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we made it through the first week. Everyone did an impressive job, and if any of your team is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Naples
For ransomware system restoration consulting in the Naples metro area, phone Progent at 800-462-8800 or see Contact Progent.