Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with more as yet unnamed newcomers, not only encrypt online data files but also infiltrate any configured system protection mechanisms. Data synchronized to the cloud can also be ransomed. In a vulnerable system, it can render automatic recovery useless and basically knocks the entire system back to square one.
Getting back on-line programs and data after a ransomware outage becomes a race against time as the targeted organization struggles to contain and remove the ransomware and to resume enterprise-critical activity. Because crypto-ransomware requires time to spread, penetrations are often launched on weekends, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.
Progent offers an assortment of solutions for protecting Colorado Springs businesses from ransomware attacks. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI capabilities to intelligently identify and quarantine zero-day threats. Progent in addition can provide the assistance of veteran crypto-ransomware recovery engineers with the track record and perseverance to restore a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that distant criminals will return the codes to decipher all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The alternative is to re-install the essential parts of your Information Technology environment. Without the availability of essential information backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work continuously until the recovery project is complete.
For twenty years, Progent has offered certified expert Information Technology services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the skills to quickly ascertain important systems and organize the remaining pieces of your computer network system following a ransomware penetration and assemble them into an operational system.
Progent's recovery group utilizes state-of-the-art project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and together with a client's management and IT resources to prioritize tasks and to get critical applications back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A client engaged Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, possibly adopting algorithms exposed from the United States NSA organization. Ryuk goes after specific businesses with limited tolerance for operational disruption and is one of the most profitable incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I cannot tell you enough in regards to the expertise Progent gave us during the most critical time of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. The fact that you could get our e-mail system and production servers back sooner than one week was amazing. Each person I interacted with or communicated with at Progent was totally committed on getting our system up and was working non-stop to bail us out."
Progent worked hand in hand the customer to rapidly identify and prioritize the most important areas that had to be addressed in order to continue departmental operations:
To get going, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the work of recovering Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's financials and MRP system leveraged Microsoft SQL, which requires Active Directory for security authorization to the database.
- Windows Active Directory
- Microsoft Exchange Email
- MRP System
Within two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery on essential servers. All Exchange data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover email data. A not too old offline backup of the businesses financials/MRP software made them able to restore these required programs back servicing users. Although major work still had to be done to recover completely from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the assembly line operation never missed a beat and we produced all customer shipments."
Throughout the following few weeks critical milestones in the recovery process were completed through close cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% restored.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the user workstations were fully operational.
"So much of what happened those first few days is mostly a fog for me, but our team will not forget the urgency all of the team accomplished to give us our company back. Iíve been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."
A possible business extinction catastrophe was averted with hard-working experts, a broad array of subject matter expertise, and close teamwork. Although in hindsight the ransomware attack described here would have been identified and disabled with modern cyber security systems and best practices, team training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it through the initial fire. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist