Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyberplague that poses an existential danger for organizations unprepared for an assault. Different iterations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with more unnamed viruses, not only encrypt online information but also infiltrate most configured system protection. Information synchronized to cloud environments can also be rendered useless. In a poorly architected system, this can make automatic restoration impossible and effectively sets the entire system back to square one.
Getting back programs and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to stop lateral movement and cleanup the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to replicate, assaults are often launched at night, when successful penetrations typically take longer to recognize. This compounds the difficulty of quickly mobilizing and coordinating an experienced mitigation team.
Progent offers a variety of help services for protecting Dallas businesses from ransomware penetrations. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI capabilities to quickly detect and suppress day-zero cyber threats. Progent in addition provides the services of experienced ransomware recovery professionals with the track record and perseverance to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the keys to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to setup from scratch the essential parts of your IT environment. Absent access to complete data backups, this calls for a broad range of skill sets, professional project management, and the ability to work continuously until the task is completed.
For decades, Progent has provided professional IT services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience provides Progent the skills to knowledgably determine critical systems and consolidate the surviving parts of your IT environment after a crypto-ransomware attack and assemble them into an operational network.
Progent's recovery group uses state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get the most important services back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Incident Response
A customer escalated to Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored hackers, possibly using algorithms leaked from the U.S. NSA organization. Ryuk attacks specific organizations with little or no tolerance for operational disruption and is among the most profitable iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately called Progent.
"I cannot tell you enough about the care Progent gave us throughout the most fearful time of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent group gave us. That you could get our messaging and important applications back online faster than five days was something I thought impossible. Every single consultant I got help from or messaged at Progent was totally committed on getting us restored and was working all day and night on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and prioritize the critical areas that needed to be restored in order to continue business operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the customerís financials and MRP software used SQL Server, which needs Windows AD for authentication to the information.
- Active Directory
- Electronic Messaging
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed setup and storage recovery of the most important applications. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover email messages. A recent offline backup of the businesses financials/ERP systems made it possible to restore these vital applications back online for users. Although a large amount of work remained to recover totally from the Ryuk damage, core systems were restored quickly:
"For the most part, the production line operation showed little impact and we produced all customer sales."
Throughout the next month key milestones in the restoration process were accomplished in tight collaboration between Progent team members and the customer:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Server with over four million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto 850 security appliance was set up and programmed.
- 90% of the user desktops were fully operational.
"Much of what was accomplished during the initial response is mostly a blur for me, but our team will not forget the urgency each and every one of your team put in to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This situation was a life saver."
A possible company-ending catastrophe was dodged by dedicated experts, a broad array of knowledge, and close teamwork. Although in hindsight the ransomware incident described here could have been prevented with modern security technology solutions and best practices, user and IT administrator education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thank you for making it so I could get rested after we got past the initial fire. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Dallas
For ransomware system restoration expertise in the Dallas area, phone Progent at 800-462-8800 or go to Contact Progent.