Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with additional as yet unnamed newcomers, not only encrypt online files but also infiltrate most accessible system backup. Data synchronized to cloud environments can also be encrypted. In a poorly architected system, it can make automated recovery impossible and effectively sets the datacenter back to square one.
Getting back online services and data after a crypto-ransomware attack becomes a sprint against the clock as the victim tries its best to contain the damage and remove the crypto-ransomware and to restore mission-critical operations. Since ransomware requires time to spread, penetrations are usually sprung on weekends and holidays, when successful attacks are likely to take more time to identify. This multiplies the difficulty of quickly assembling and orchestrating an experienced response team.
Progent makes available a variety of services for securing Dallas businesses from crypto-ransomware events. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with machine learning capabilities to automatically detect and suppress zero-day cyber threats. Progent also offers the assistance of seasoned ransomware recovery consultants with the track record and commitment to reconstruct a breached system as quickly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the keys to decrypt any or all of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to piece back together the mission-critical components of your IT environment. Absent access to complete data backups, this calls for a broad range of skills, well-coordinated project management, and the ability to work continuously until the task is over.
For twenty years, Progent has offered certified expert IT services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise gives Progent the skills to efficiently determine necessary systems and integrate the surviving parts of your computer network system following a ransomware event and assemble them into an operational network.
Progent's recovery team of experts has best of breed project management tools to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put key systems back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state criminal gangs, suspected of adopting algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little room for operational disruption and is one of the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end brought in Progent.
"I cannot tell you enough about the expertise Progent gave us during the most fearful time of (our) companyís existence. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. That you were able to get our messaging and critical servers back on-line faster than seven days was incredible. Every single expert I interacted with or messaged at Progent was totally committed on getting us back on-line and was working day and night on our behalf."
Progent worked hand in hand the client to rapidly identify and assign priority to the mission critical services that needed to be recovered in order to continue company operations:
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the steps of bringing back online Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the businessesí MRP system used Microsoft SQL Server, which needs Active Directory services for authentication to the database.
- Windows Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with setup and storage recovery of essential servers. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find local OST files (Outlook Email Off-Line Folder Files) on user workstations and laptops in order to recover mail data. A recent offline backup of the client's financials/ERP systems made it possible to recover these vital applications back available to users. Although a lot of work remained to recover totally from the Ryuk event, the most important services were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we delivered all customer deliverables."
Throughout the following few weeks critical milestones in the recovery project were accomplished through tight collaboration between Progent consultants and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- 90% of the user workstations were operational.
"So much of what went on in the initial days is mostly a blur for me, but we will not forget the countless hours all of the team accomplished to help get our business back. Iíve been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A potential business catastrophe was avoided through the efforts of hard-working experts, a wide spectrum of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus penetration described here could have been identified and stopped with up-to-date cyber security systems and recognized best practices, user and IT administrator training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we made it over the first week. Everyone did an amazing job, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist