Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses unprepared for an assault. Versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as frequent as yet unnamed viruses, not only do encryption of on-line files but also infect all accessible system protection mechanisms. Files synchronized to cloud environments can also be corrupted. In a vulnerable system, this can make automatic restoration hopeless and effectively knocks the network back to square one.
Getting back on-line services and data after a crypto-ransomware outage becomes a sprint against time as the victim fights to stop lateral movement and cleanup the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are frequently sprung on weekends and holidays, when successful attacks may take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.
Progent offers a variety of solutions for protecting Birmingham organizations from ransomware events. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology to automatically identify and suppress new cyber threats. Progent also can provide the assistance of expert ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as quickly as possible.
Progent's Ransomware Recovery Help
Soon after a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to decipher any of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the key elements of your Information Technology environment. Without access to essential data backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work continuously until the recovery project is over.
For two decades, Progent has made available professional Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise gives Progent the skills to quickly understand important systems and re-organize the remaining parts of your computer network system after a crypto-ransomware penetration and assemble them into an operational network.
Progent's security team of experts has best of breed project management systems to coordinate the complicated recovery process. Progent understands the importance of working quickly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get the most important services back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Restoration
A small business escalated to Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, possibly using techniques leaked from the U.S. NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most profitable instances of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago and has around 500 employees. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the time of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200K) and praying for the best, but ultimately called Progent.
"I cannot speak enough about the help Progent provided us during the most fearful period of (our) businesses survival. We would have paid the cybercriminals if it wasnít for the confidence the Progent experts provided us. That you could get our messaging and production applications back on-line quicker than five days was beyond my wildest dreams. Each person I talked with or texted at Progent was hell bent on getting us restored and was working all day and night to bail us out."
Progent worked with the customer to quickly assess and assign priority to the most important areas that needed to be recovered in order to restart company operations:
To start, Progent adhered to ransomware incident response best practices by stopping lateral movement and removing active viruses. Progent then began the process of restoring Microsoft AD, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not work without Active Directory, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the data.
- Windows Active Directory
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of key systems. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on various PCs in order to recover email data. A not too old offline backup of the customerís manufacturing systems made it possible to recover these vital services back online for users. Although significant work still had to be done to recover fully from the Ryuk event, essential services were restored quickly:
"For the most part, the production operation showed little impact and we delivered all customer deliverables."
Over the next couple of weeks critical milestones in the restoration project were completed in tight collaboration between Progent engineers and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Server with over four million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control modules were 100 percent functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the user PCs were back into operation.
"Much of what happened those first few days is nearly entirely a blur for me, but my team will not soon forget the urgency all of you put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This event was a life saver."
A potential company-ending disaster was evaded by top-tier professionals, a wide spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware virus penetration described here should have been identified and disabled with modern security technology and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information protection and applying software patches, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for making it so I could get rested after we made it past the initial push. Everyone did an impressive effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist