Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause havoc. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional unnamed malware, not only do encryption of on-line data but also infect many configured system protection. Files synched to cloud environments can also be encrypted. In a vulnerable data protection solution, it can render automated restore operations impossible and effectively sets the entire system back to zero.
Restoring services and information following a ransomware event becomes a sprint against time as the victim fights to contain the damage and eradicate the crypto-ransomware and to restore enterprise-critical activity. Since ransomware takes time to replicate, attacks are frequently launched at night, when attacks in many cases take more time to discover. This multiplies the difficulty of rapidly marshalling and orchestrating an experienced response team.
Progent has an assortment of support services for securing Des Moines enterprises from ransomware events. These include team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence technology to automatically identify and extinguish zero-day cyber attacks. Progent in addition provides the assistance of seasoned ransomware recovery professionals with the talent and perseverance to re-deploy a breached system as quickly as possible.
Progent's Ransomware Recovery Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the codes to decrypt all your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to re-install the key parts of your Information Technology environment. Without access to full information backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the recovery project is complete.
For two decades, Progent has made available expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the skills to quickly determine critical systems and integrate the remaining parts of your Information Technology system after a crypto-ransomware event and rebuild them into an operational network.
Progent's ransomware group utilizes best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and together with a customerís management and Information Technology resources to assign priority to tasks and to get critical systems back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Restoration
A small business sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state hackers, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk seeks specific organizations with limited room for operational disruption and is one of the most profitable versions of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with about 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200K) and praying for good luck, but in the end brought in Progent.
"I cannot speak enough about the expertise Progent provided us during the most critical period of (our) businesses life. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and production applications back into operation sooner than 1 week was incredible. Every single expert I spoke to or e-mailed at Progent was urgently focused on getting us back online and was working day and night on our behalf."
Progent worked together with the client to quickly identify and assign priority to the key elements that had to be restored in order to continue business operations:
To get going, Progent followed ransomware penetration response best practices by isolating and performing virus removal steps. Progent then began the steps of rebuilding Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the customerís financials and MRP software used Microsoft SQL Server, which requires Windows AD for security authorization to the databases.
- Microsoft Active Directory
Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then performed setup and storage recovery of needed applications. All Microsoft Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to find intact OST files (Outlook Off-Line Data Files) on staff PCs to recover email information. A not too old offline backup of the businesses accounting software made it possible to recover these vital services back on-line. Although significant work was left to recover completely from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the production manufacturing operation was never shut down and we did not miss any customer deliverables."
Over the following month important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the client:
- Self-hosted web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100% operational.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user workstations were fully operational.
"So much of what happened in the initial days is mostly a haze for me, but I will not soon forget the commitment all of you put in to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This situation was the most impressive ever."
A likely business-ending catastrophe was evaded due to top-tier professionals, a wide spectrum of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus penetration detailed here would have been shut down with current security solutions and best practices, user and IT administrator education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for making it so I could get some sleep after we got past the initial push. Everyone did an impressive effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist