Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyberplague that represents an existential danger for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of online data files but also infiltrate any configured system restores and backups. Information synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, this can render automated restoration hopeless and basically sets the datacenter back to zero.
Recovering applications and information after a ransomware attack becomes a sprint against the clock as the targeted business struggles to contain and remove the virus and to restore enterprise-critical activity. Because ransomware takes time to replicate, penetrations are often sprung at night, when successful penetrations in many cases take longer to uncover. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent provides a range of support services for securing Yonkers businesses from ransomware attacks. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI technology to intelligently identify and quarantine new threats. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware attack, even paying the ransom in cryptocurrency does not ensure that criminal gangs will return the keys to decipher any or all of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to piece back together the essential elements of your IT environment. Without access to complete information backups, this requires a broad complement of skills, top notch team management, and the ability to work non-stop until the job is finished.
For twenty years, Progent has offered expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the capability to quickly ascertain critical systems and re-organize the remaining pieces of your Information Technology system following a ransomware penetration and assemble them into an operational network.
Progent's security group has best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and in unison with a client's management and IT team members to prioritize tasks and to put the most important systems back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A business escalated to Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is among the most profitable iterations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.
"I canít tell you enough about the help Progent provided us throughout the most critical time of (our) businesses existence. We may have had to pay the criminal gangs if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and essential applications back on-line sooner than a week was something I thought impossible. Each staff member I worked with or communicated with at Progent was totally committed on getting our system up and was working 24/7 to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the mission critical systems that needed to be addressed to make it possible to resume business operations:
To get going, Progent followed Anti-virus penetration mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the task of bringing back online Microsoft AD, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the client's MRP applications utilized SQL Server, which depends on Active Directory for access to the databases.
- Microsoft Active Directory
Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then performed setup and hard drive recovery of critical systems. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on staff workstations in order to recover email messages. A not too old off-line backup of the customerís accounting/ERP systems made them able to restore these vital services back online. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production manufacturing operation was never shut down and we made all customer shipments."
Over the next couple of weeks important milestones in the recovery project were accomplished through close cooperation between Progent team members and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Server with over four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely restored.
- A new Palo Alto 850 firewall was set up.
- Most of the user desktops and notebooks were fully operational.
"So much of what transpired in the early hours is nearly entirely a fog for me, but we will not soon forget the urgency each and every one of the team accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A potential business-ending catastrophe was evaded due to hard-working professionals, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here would have been identified and stopped with advanced security systems and security best practices, user and IT administrator education, and properly executed security procedures for backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for letting me get some sleep after we got through the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Yonkers
For ransomware system recovery consulting services in the Yonkers area, call Progent at 800-462-8800 or see Contact Progent.