Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that poses an existential danger for businesses vulnerable to an assault. Different iterations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as frequent unnamed newcomers, not only encrypt online data but also infiltrate any accessible system backup. Data synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, this can make automatic restore operations useless and effectively knocks the datacenter back to zero.
Recovering applications and information following a ransomware outage becomes a sprint against time as the targeted business tries its best to stop lateral movement and remove the ransomware and to resume mission-critical operations. Since ransomware requires time to spread, assaults are usually launched at night, when penetrations tend to take longer to detect. This compounds the difficulty of promptly marshalling and coordinating a capable response team.
Progent makes available a range of services for protecting Southfield businesses from crypto-ransomware attacks. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with artificial intelligence technology to rapidly detect and extinguish zero-day cyber attacks. Progent also can provide the services of expert ransomware recovery professionals with the track record and perseverance to reconstruct a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decrypt any of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The alternative is to re-install the mission-critical components of your IT environment. Without access to complete system backups, this requires a wide complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the recovery project is done.
For two decades, Progent has made available certified expert Information Technology services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to rapidly understand critical systems and consolidate the remaining parts of your network environment after a crypto-ransomware penetration and assemble them into a functioning system.
Progent's ransomware team utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in unison with a customerís management and IT team members to prioritize tasks and to get critical systems back on line as fast as possible.
Case Study: A Successful Ransomware Attack Restoration
A small business hired Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, possibly adopting approaches leaked from Americaís NSA organization. Ryuk goes after specific companies with limited ability to sustain disruption and is among the most lucrative versions of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 workers. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.
"I cannot say enough in regards to the support Progent provided us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the criminal gangs except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and essential applications back online in less than a week was earth shattering. Every single person I interacted with or texted at Progent was hell bent on getting us restored and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly determine and prioritize the mission critical services that had to be recovered in order to restart departmental operations:
To get going, Progent followed Anti-virus incident mitigation industry best practices by stopping the spread and removing active viruses. Progent then started the steps of recovering Windows Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not work without AD, and the businessesí MRP software leveraged Microsoft SQL Server, which needs Windows AD for authentication to the information.
- Microsoft Active Directory
- Microsoft Exchange
Within two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with setup and storage recovery on critical applications. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Off-Line Folder Files) on user desktop computers and laptops to recover mail data. A not too old off-line backup of the client's manufacturing systems made it possible to recover these required programs back on-line. Although significant work needed to be completed to recover totally from the Ryuk event, core systems were returned to operations quickly:
"For the most part, the manufacturing operation did not miss a beat and we made all customer orders."
Throughout the next couple of weeks critical milestones in the recovery process were completed in close cooperation between Progent consultants and the customer:
- In-house web sites were returned to operation without losing any information.
- The MailStore Exchange Server exceeding 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory functions were 100 percent functional.
- A new Palo Alto 850 firewall was deployed.
- Ninety percent of the user desktops and notebooks were back into operation.
"A lot of what was accomplished those first few days is mostly a fog for me, but I will not soon forget the urgency each and every one of you put in to give us our company back. Iíve utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a stunning achievement."
A probable business-ending catastrophe was averted by top-tier experts, a wide range of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here should have been identified and blocked with current cyber security systems and ISO/IEC 27001 best practices, team education, and well thought out security procedures for data protection and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get some sleep after we got past the most critical parts. All of you did an amazing effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Southfield
For ransomware system restoration consulting services in the Southfield metro area, phone Progent at 800-462-8800 or see Contact Progent.