Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an existential danger for organizations poorly prepared for an assault. Different iterations of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as daily as yet unnamed malware, not only do encryption of online information but also infect many accessible system backup. Files synched to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, it can make any recovery useless and effectively knocks the entire system back to square one.
Recovering programs and data after a ransomware attack becomes a sprint against time as the victim fights to stop the spread and cleanup the virus and to restore enterprise-critical operations. Because crypto-ransomware requires time to move laterally, attacks are often sprung at night, when penetrations typically take longer to recognize. This multiplies the difficulty of quickly mobilizing and orchestrating a capable response team.
Progent makes available an assortment of support services for protecting Sandy Springs businesses from ransomware penetrations. Among these are team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with AI technology to rapidly detect and quarantine day-zero cyber threats. Progent in addition can provide the services of expert ransomware recovery professionals with the track record and commitment to re-deploy a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to decrypt any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the mission-critical elements of your Information Technology environment. Absent access to complete information backups, this requires a broad range of skills, professional project management, and the willingness to work non-stop until the task is completed.
For decades, Progent has provided professional IT services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise provides Progent the skills to rapidly determine important systems and consolidate the surviving pieces of your IT system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's ransomware team uses best of breed project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working quickly and together with a customerís management and Information Technology team members to prioritize tasks and to get key applications back online as soon as humanly possible.
Case Study: A Successful Ransomware Incident Recovery
A customer hired Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state criminal gangs, possibly using algorithms leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200K) and praying for good luck, but in the end brought in Progent.
"I canít thank you enough about the help Progent gave us throughout the most fearful period of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent group afforded us. The fact that you could get our e-mail and critical applications back sooner than seven days was amazing. Each consultant I talked with or messaged at Progent was hell bent on getting us operational and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly understand and prioritize the essential applications that had to be addressed to make it possible to continue business operations:
To get going, Progent followed ransomware event mitigation best practices by stopping lateral movement and clearing infected systems. Progent then initiated the steps of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's MRP system leveraged SQL Server, which needs Active Directory services for access to the information.
- Active Directory (AD)
- Electronic Mail
- MRP System
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery of the most important servers. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email information. A recent off-line backup of the businesses manufacturing software made them able to recover these essential applications back online. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the production operation survived unscathed and we made all customer orders."
Throughout the following few weeks critical milestones in the recovery process were accomplished in close cooperation between Progent team members and the client:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the desktops and laptops were being used by staff.
"So much of what went on in the initial days is nearly entirely a fog for me, but our team will not forget the commitment all of the team put in to help get our business back. I have entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was the most impressive ever."
A possible business-ending catastrophe was dodged with top-tier professionals, a wide array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack detailed here should have been shut down with modern cyber security systems and best practices, team training, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we got through the most critical parts. All of you did an fabulous effort, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist