Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for organizations vulnerable to an attack. Different versions of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, along with frequent as yet unnamed viruses, not only encrypt on-line data files but also infiltrate any configured system backups. Files synched to cloud environments can also be encrypted. In a poorly designed data protection solution, it can render any restore operations impossible and basically sets the network back to square one.
Restoring services and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and remove the virus and to restore enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, assaults are frequently launched during weekends and nights, when penetrations in many cases take longer to notice. This compounds the difficulty of promptly mobilizing and organizing an experienced mitigation team.
Progent has a variety of help services for securing Fort Lauderdale businesses from crypto-ransomware attacks. These include team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat defense to identify and disable day-zero modern malware attacks. Progent in addition can provide the services of experienced ransomware recovery professionals with the skills and commitment to re-deploy a compromised network as urgently as possible.
Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the needed codes to decipher any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to piece back together the critical elements of your Information Technology environment. Without access to full information backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work non-stop until the job is done.
For two decades, Progent has offered professional Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the capability to rapidly understand necessary systems and integrate the remaining components of your computer network environment after a ransomware event and rebuild them into a functioning system.
Progent's recovery team of experts uses powerful project management applications to orchestrate the sophisticated restoration process. Progent understands the urgency of acting quickly and in unison with a customer's management and IT team members to prioritize tasks and to put key applications back online as fast as possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their network system was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is among the most lucrative iterations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately utilized Progent.
"I can't speak enough about the care Progent gave us throughout the most stressful time of (our) businesses existence. We would have paid the Hackers if not for the confidence the Progent team afforded us. The fact that you could get our e-mail system and important applications back online sooner than 1 week was earth shattering. Each expert I interacted with or texted at Progent was amazingly focused on getting us back on-line and was working breakneck pace on our behalf."
Progent worked together with the client to rapidly get our arms around and prioritize the essential applications that had to be recovered to make it possible to restart business operations:
To begin, Progent followed Anti-virus event mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the task of bringing back online Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' financials and MRP applications utilized Microsoft SQL Server, which needs Windows AD for security authorization to the databases.
- Microsoft Active Directory
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery on essential applications. All Exchange data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover email information. A not too old offline backup of the customer's accounting systems made it possible to restore these required services back online for users. Although a large amount of work was left to recover fully from the Ryuk virus, the most important systems were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we made all customer orders."
Over the following couple of weeks critical milestones in the recovery project were made through tight collaboration between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Server exceeding 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully restored.
- A new Palo Alto 850 firewall was set up.
- 90% of the user workstations were functioning as before the incident.
"A huge amount of what occurred that first week is mostly a blur for me, but I will not forget the commitment all of you put in to help get our company back. I have utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."
A possible enterprise-killing catastrophe was evaded due to dedicated experts, a broad array of IT skills, and tight teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been shut down with modern security systems and best practices, staff training, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get rested after we got over the initial push. Everyone did an fabulous job, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Fort Lauderdale
For ransomware recovery services in the Fort Lauderdale area, phone Progent at 800-462-8800 or go to Contact Progent.