Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential danger for businesses poorly prepared for an attack. Different versions of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more as yet unnamed viruses, not only do encryption of on-line data but also infect many configured system protection mechanisms. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, it can make automatic recovery hopeless and basically knocks the entire system back to zero.
Retrieving programs and information after a crypto-ransomware outage becomes a sprint against time as the targeted organization tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical activity. Because crypto-ransomware takes time to replicate, attacks are frequently sprung during weekends and nights, when successful penetrations typically take longer to notice. This compounds the difficulty of quickly mobilizing and organizing a qualified response team.
Progent makes available a variety of solutions for securing Birmingham enterprises from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with artificial intelligence capabilities to quickly discover and suppress zero-day cyber attacks. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the skills and commitment to restore a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any or all of your files. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The alternative is to setup from scratch the critical parts of your Information Technology environment. Without access to complete information backups, this requires a wide complement of skills, professional project management, and the ability to work continuously until the job is complete.
For two decades, Progent has made available professional IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the capability to rapidly identify important systems and consolidate the remaining pieces of your network environment following a crypto-ransomware attack and assemble them into an operational system.
Progent's ransomware team of experts deploys best of breed project management applications to orchestrate the complex recovery process. Progent understands the urgency of working quickly and together with a client's management and Information Technology staff to prioritize tasks and to get essential applications back online as soon as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A customer engaged Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, suspected of adopting approaches exposed from Americaís NSA organization. Ryuk goes after specific companies with little ability to sustain disruption and is among the most lucrative instances of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.
"I canít tell you enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent experts gave us. That you could get our messaging and essential servers back in less than one week was earth shattering. Every single expert I talked with or e-mailed at Progent was amazingly focused on getting my company operational and was working day and night to bail us out."
Progent worked with the customer to quickly understand and assign priority to the critical applications that needed to be addressed to make it possible to resume company operations:
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then began the task of restoring Windows Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businessesí MRP software utilized SQL Server, which depends on Active Directory services for access to the databases.
- Windows Active Directory
- Microsoft Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery of critical servers. All Exchange ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Off-Line Data Files) on team desktop computers to recover email messages. A recent offline backup of the customerís financials/ERP systems made it possible to return these essential applications back available to users. Although a large amount of work remained to recover fully from the Ryuk damage, the most important systems were returned to operations rapidly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer shipments."
Over the next few weeks key milestones in the restoration project were made in close cooperation between Progent engineers and the customer:
- In-house web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived messages was restored to operations and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were completely operational.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the user PCs were back into operation.
"So much of what occurred in the early hours is nearly entirely a blur for me, but our team will not forget the commitment all of you put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a life saver."
A likely business-ending catastrophe was evaded with dedicated experts, a broad array of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been identified and stopped with up-to-date cyber security technology and recognized best practices, team training, and well designed security procedures for information backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for letting me get some sleep after we got over the initial fire. All of you did an amazing job, and if any of your team is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Birmingham
For ransomware recovery consulting in the Birmingham metro area, call Progent at 800-462-8800 or see Contact Progent.