Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations poorly prepared for an assault. Versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to cause havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, plus frequent unnamed newcomers, not only do encryption of on-line data but also infect many accessible system protection. Files synched to cloud environments can also be encrypted. In a poorly designed system, this can render any restore operations hopeless and basically sets the datacenter back to zero.
Retrieving programs and data after a crypto-ransomware attack becomes a race against time as the targeted organization fights to contain the damage and eradicate the ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to move laterally, attacks are frequently sprung during weekends and nights, when successful attacks typically take more time to detect. This multiplies the difficulty of quickly marshalling and organizing a qualified mitigation team.
Progent provides a variety of solutions for securing Manaus organizations from crypto-ransomware penetrations. Among these are user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based threat defense to identify and suppress zero-day modern malware attacks. Progent also offers the services of experienced ransomware recovery consultants with the skills and commitment to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will return the keys to decrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The other path is to piece back together the key components of your IT environment. Absent access to essential data backups, this requires a wide complement of IT skills, top notch project management, and the ability to work continuously until the job is completed.
For decades, Progent has made available certified expert IT services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly understand important systems and consolidate the remaining parts of your IT system after a ransomware attack and configure them into a functioning network.
Progent's ransomware group has powerful project management tools to coordinate the complex recovery process. Progent appreciates the importance of acting quickly and in unison with a client's management and IT team members to assign priority to tasks and to get key services back on-line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A client escalated to Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, possibly adopting approaches exposed from America's NSA organization. Ryuk attacks specific companies with little ability to sustain operational disruption and is among the most profitable incarnations of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.
"I cannot say enough in regards to the care Progent gave us during the most fearful time of (our) businesses survival. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group gave us. That you could get our e-mail system and production applications back on-line in less than one week was beyond my wildest dreams. Every single expert I talked with or texted at Progent was hell bent on getting us back on-line and was working 24/7 on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the mission critical elements that had to be addressed to make it possible to resume business operations:
To start, Progent followed AV/Malware Processes penetration mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then started the work of restoring Microsoft AD, the core of enterprise networks built on Microsoft technology. Exchange email will not function without Windows AD, and the client's financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the data.
- Active Directory
In less than 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery of needed servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Offline Data Files) on team PCs to recover email information. A recent off-line backup of the businesses manufacturing software made them able to recover these vital services back available to users. Although a lot of work was left to recover fully from the Ryuk virus, core services were restored rapidly:
"For the most part, the production line operation never missed a beat and we produced all customer sales."
Over the following couple of weeks critical milestones in the restoration project were achieved through tight cooperation between Progent team members and the customer:
- In-house web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the user PCs were operational.
"Much of what went on during the initial response is nearly entirely a fog for me, but our team will not forget the urgency each and every one of the team put in to help get our company back. I have trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This event was a stunning achievement."
A likely business disaster was averted by results-oriented professionals, a broad range of knowledge, and close collaboration. Although in retrospect the ransomware virus incident detailed here should have been identified and blocked with up-to-date cyber security solutions and best practices, user education, and properly executed security procedures for information protection and applying software patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get rested after we made it past the initial fire. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Manaus
For ransomware system recovery consulting services in the Manaus metro area, phone Progent at 800-462-8800 or visit Contact Progent.