Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as additional unnamed newcomers, not only do encryption of online files but also infect many accessible system restores and backups. Files replicated to cloud environments can also be encrypted. In a poorly architected environment, it can render any recovery useless and effectively sets the network back to square one.
Getting back on-line programs and information following a ransomware event becomes a sprint against the clock as the victim tries its best to contain and eradicate the ransomware and to resume mission-critical operations. Since ransomware takes time to replicate, assaults are often sprung during weekends and nights, when successful penetrations may take more time to discover. This multiplies the difficulty of promptly mobilizing and coordinating an experienced response team.
Progent has a range of support services for securing Norfolk businesses from crypto-ransomware penetrations. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI technology to intelligently identify and suppress new cyber attacks. Progent in addition offers the assistance of expert ransomware recovery engineers with the talent and perseverance to rebuild a compromised network as rapidly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decrypt any of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The other path is to setup from scratch the essential elements of your IT environment. Absent access to complete system backups, this calls for a wide complement of skill sets, professional team management, and the willingness to work continuously until the task is done.
For decades, Progent has made available expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience affords Progent the capability to quickly ascertain necessary systems and integrate the surviving parts of your network system after a ransomware attack and configure them into an operational system.
Progent's ransomware group has state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of working swiftly and together with a client's management and IT staff to assign priority to tasks and to get key services back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A client engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state hackers, possibly using techniques exposed from the U.S. NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is among the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has about 500 workers. The Ryuk attack had brought down all company operations and manufacturing processes. Most of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.
"I cannot thank you enough in regards to the help Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you could get our messaging and important servers back in less than seven days was incredible. Every single expert I spoke to or communicated with at Progent was absolutely committed on getting my company operational and was working all day and night on our behalf."
Progent worked with the customer to rapidly assess and assign priority to the essential services that had to be restored to make it possible to restart company functions:
To start, Progent adhered to AV/Malware Processes event response industry best practices by stopping the spread and performing virus removal steps. Progent then began the task of rebuilding Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which requires Active Directory services for authentication to the information.
- Microsoft Active Directory
- Exchange Server
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then performed reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops to recover mail messages. A recent offline backup of the businesses manufacturing software made it possible to return these vital programs back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, essential systems were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer shipments."
During the next couple of weeks critical milestones in the recovery process were completed through tight cooperation between Progent consultants and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory modules were fully operational.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user desktops were fully operational.
"So much of what transpired those first few days is mostly a blur for me, but my management will not soon forget the commitment all of you accomplished to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A possible enterprise-killing disaster was averted through the efforts of top-tier professionals, a broad spectrum of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware penetration described here should have been stopped with current security technology and recognized best practices, staff training, and well thought out security procedures for information backup and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we made it through the initial fire. All of you did an fabulous effort, and if anyone is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Norfolk
For ransomware cleanup expertise in the Norfolk area, call Progent at 800-462-8800 or visit Contact Progent.