Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses unprepared for an assault. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with additional as yet unnamed malware, not only encrypt online data files but also infect all available system restores and backups. Information synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, it can render any restore operations hopeless and basically sets the network back to zero.
Restoring programs and data after a ransomware event becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and remove the crypto-ransomware and to resume mission-critical operations. Since ransomware requires time to replicate, attacks are often sprung during nights and weekends, when successful attacks are likely to take longer to uncover. This multiplies the difficulty of promptly mobilizing and coordinating a capable response team.
Progent makes available a variety of support services for securing Salt Lake City organizations from ransomware attacks. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to identify and disable zero-day malware attacks. Progent also provides the services of expert crypto-ransomware recovery consultants with the skills and perseverance to restore a breached system as quickly as possible.
Progent's Ransomware Recovery Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed codes to unencrypt any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to piece back together the vital elements of your Information Technology environment. Without the availability of essential system backups, this requires a broad complement of IT skills, top notch team management, and the ability to work non-stop until the task is done.
For decades, Progent has provided professional IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise provides Progent the ability to quickly understand critical systems and consolidate the surviving components of your computer network system after a crypto-ransomware event and assemble them into a functioning system.
Progent's recovery team of experts utilizes powerful project management systems to coordinate the complex recovery process. Progent understands the urgency of acting quickly and in concert with a client's management and IT team members to assign priority to tasks and to get the most important services back on line as fast as possible.
Customer Story: A Successful Ransomware Attack Recovery
A customer hired Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, possibly adopting approaches leaked from America's National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.
"I can't speak enough in regards to the help Progent gave us throughout the most stressful period of (our) company's existence. We would have paid the Hackers if not for the confidence the Progent experts afforded us. The fact that you could get our e-mail and important applications back faster than one week was beyond my wildest dreams. Every single staff member I interacted with or messaged at Progent was absolutely committed on getting us operational and was working day and night to bail us out."
Progent worked with the customer to quickly determine and prioritize the key services that needed to be recovered in order to continue departmental operations:
To begin, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP software used SQL Server, which depends on Windows AD for security authorization to the data.
- Microsoft Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of mission critical systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover email data. A not too old off-line backup of the customer's accounting systems made it possible to return these essential applications back online. Although significant work was left to recover totally from the Ryuk attack, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer orders."
During the next month important milestones in the restoration process were made in tight collaboration between Progent consultants and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory functions were 100 percent functional.
- A new Palo Alto 850 security appliance was brought on-line.
- Most of the desktop computers were fully operational.
"A lot of what occurred in the early hours is nearly entirely a fog for me, but I will not soon forget the urgency each and every one of the team accomplished to give us our business back. I've entrusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."
A potential business extinction disaster was evaded through the efforts of top-tier professionals, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware virus incident described here could have been identified and blocked with up-to-date cyber security systems and best practices, user and IT administrator training, and appropriate incident response procedures for data protection and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for letting me get rested after we made it over the initial push. All of you did an amazing job, and if anyone is around the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Salt Lake City
For ransomware recovery expertise in the Salt Lake City area, call Progent at 800-462-8800 or visit Contact Progent.