Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that presents an existential danger for organizations unprepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, plus daily unnamed viruses, not only do encryption of on-line files but also infect any accessible system backups. Information synchronized to cloud environments can also be encrypted. In a poorly architected system, it can render automatic restoration impossible and effectively sets the network back to zero.
Getting back on-line services and data following a crypto-ransomware intrusion becomes a race against time as the targeted business tries its best to contain and clear the virus and to resume business-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are often launched during weekends and nights, when successful attacks typically take longer to notice. This compounds the difficulty of rapidly assembling and organizing a capable mitigation team.
Progent offers a variety of help services for securing Manaus enterprises from ransomware events. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with machine learning technology to rapidly identify and disable new threats. Progent also offers the services of veteran ransomware recovery professionals with the track record and perseverance to restore a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the keys to unencrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to setup from scratch the essential components of your IT environment. Absent access to full data backups, this calls for a broad range of IT skills, well-coordinated project management, and the ability to work non-stop until the recovery project is done.
For two decades, Progent has offered certified expert Information Technology services for companies across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the ability to quickly determine necessary systems and re-organize the surviving components of your network system following a crypto-ransomware attack and configure them into a functioning network.
Progent's recovery team of experts uses top notch project management tools to coordinate the complex restoration process. Progent knows the importance of working swiftly and together with a client's management and IT team members to assign priority to tasks and to get key applications back online as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A small business engaged Progent after their company was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using strategies leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited room for disruption and is among the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with about 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I canít thank you enough about the support Progent provided us during the most critical time of (our) businesses life. We may have had to pay the criminal gangs if it wasnít for the confidence the Progent experts afforded us. That you were able to get our e-mail and important applications back into operation quicker than seven days was earth shattering. Each expert I spoke to or texted at Progent was amazingly focused on getting us back online and was working non-stop to bail us out."
Progent worked together with the client to rapidly get our arms around and prioritize the critical systems that needed to be restored to make it possible to continue company operations:
To begin, Progent adhered to ransomware event mitigation best practices by stopping the spread and clearing infected systems. Progent then started the process of bringing back online Microsoft AD, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís MRP applications utilized SQL Server, which needs Active Directory for authentication to the database.
- Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery of key systems. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers to recover mail information. A recent off-line backup of the businesses accounting/MRP software made it possible to return these essential services back available to users. Although a lot of work remained to recover totally from the Ryuk damage, critical services were recovered quickly:
"For the most part, the manufacturing operation survived unscathed and we delivered all customer sales."
During the next month key milestones in the restoration process were accomplished in tight collaboration between Progent consultants and the client:
- Internal web applications were restored with no loss of information.
- The MailStore Exchange Server exceeding four million historical emails was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100 percent recovered.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user desktops and notebooks were being used by staff.
"Much of what was accomplished that first week is nearly entirely a fog for me, but my management will not soon forget the commitment each and every one of the team put in to give us our business back. Iíve been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."
A likely business disaster was dodged due to results-oriented professionals, a wide range of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here could have been blocked with up-to-date cyber security systems and security best practices, staff training, and properly executed security procedures for information backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we got past the initial push. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist