Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that poses an existential threat for businesses of all sizes vulnerable to an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to cause destruction. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus more as yet unnamed malware, not only encrypt on-line data files but also infiltrate any configured system backup. Information replicated to the cloud can also be encrypted. In a poorly designed system, this can render automated restoration impossible and basically knocks the network back to square one.
Getting back on-line applications and data after a crypto-ransomware intrusion becomes a sprint against the clock as the victim struggles to stop the spread and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to spread, penetrations are frequently sprung at night, when attacks in many cases take longer to uncover. This compounds the difficulty of promptly assembling and organizing a qualified response team.
Progent makes available an assortment of support services for securing Yonkers businesses from ransomware attacks. These include team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat defense to detect and suppress day-zero modern malware assaults. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt all your data. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The fallback is to piece back together the vital parts of your IT environment. Absent access to full system backups, this requires a broad complement of skills, professional team management, and the capability to work continuously until the recovery project is completed.
For twenty years, Progent has offered expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly understand necessary systems and organize the surviving parts of your computer network environment following a crypto-ransomware event and rebuild them into an operational system.
Progent's recovery team of experts has top notch project management systems to orchestrate the complicated recovery process. Progent understands the urgency of acting swiftly and in concert with a client's management and IT team members to prioritize tasks and to get the most important services back on-line as fast as possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Recovery
A client contacted Progent after their company was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting strategies exposed from America's NSA organization. Ryuk targets specific organizations with limited tolerance for disruption and is among the most profitable examples of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately engaged Progent.
"I can't say enough in regards to the care Progent gave us during the most stressful period of (our) businesses life. We had little choice but to pay the cyber criminals if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and critical servers back on-line in less than seven days was amazing. Each consultant I talked with or communicated with at Progent was absolutely committed on getting my company operational and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to rapidly identify and prioritize the most important elements that needed to be recovered in order to resume company functions:
To start, Progent followed ransomware event mitigation best practices by isolating and performing virus removal steps. Progent then started the process of rebuilding Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the customer's financials and MRP software utilized SQL Server, which depends on Active Directory for security authorization to the databases.
- Microsoft Active Directory
- MRP System
Within 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then accomplished rebuilding and storage recovery of needed servers. All Exchange data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find intact OST files (Outlook Email Off-Line Data Files) on various PCs to recover email information. A not too old off-line backup of the client's accounting/ERP software made it possible to restore these required services back on-line. Although a lot of work was left to recover totally from the Ryuk attack, the most important systems were recovered quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer sales."
During the following couple of weeks key milestones in the restoration process were accomplished through close cooperation between Progent team members and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully restored.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the desktop computers were operational.
"Much of what occurred those first few days is mostly a fog for me, but we will not soon forget the urgency each and every one of you put in to give us our company back. I've entrusted Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was the most impressive ever."
A probable business-ending catastrophe was averted by hard-working experts, a broad spectrum of IT skills, and close teamwork. Although in post mortem the ransomware attack detailed here would have been blocked with up-to-date security solutions and NIST Cybersecurity Framework best practices, user training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, removal, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get some sleep after we made it through the initial fire. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Yonkers
For ransomware recovery consulting services in the Yonkers metro area, call Progent at 800-462-8800 or see Contact Progent.