Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that presents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus more unnamed viruses, not only do encryption of on-line critical data but also infect many available system backup. Information synchronized to the cloud can also be ransomed. In a poorly architected system, it can render any restoration useless and basically knocks the entire system back to square one.
Getting back online services and information following a crypto-ransomware attack becomes a race against the clock as the targeted business fights to stop the spread and clear the crypto-ransomware and to restore enterprise-critical operations. Since crypto-ransomware requires time to move laterally, assaults are often sprung on weekends and holidays, when successful penetrations may take more time to detect. This multiplies the difficulty of rapidly marshalling and organizing a qualified response team.
Progent makes available a range of support services for protecting Yonkers businesses from ransomware events. These include staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning capabilities to rapidly discover and extinguish zero-day threats. Progent in addition offers the services of seasoned ransomware recovery professionals with the talent and commitment to rebuild a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
After a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the codes to decipher any of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The other path is to piece back together the vital components of your IT environment. Without access to full system backups, this calls for a wide range of skills, well-coordinated team management, and the ability to work non-stop until the recovery project is completed.
For two decades, Progent has made available certified expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise gives Progent the ability to knowledgably determine critical systems and integrate the remaining parts of your network environment after a ransomware event and configure them into a functioning system.
Progent's security team utilizes powerful project management tools to coordinate the complex recovery process. Progent knows the importance of acting quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put essential systems back on line as soon as possible.
Case Study: A Successful Crypto-Ransomware Attack Recovery
A business sought out Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly using techniques leaked from Americaís National Security Agency. Ryuk seeks specific organizations with little or no room for disruption and is among the most profitable iterations of ransomware malware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago and has about 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.
"I cannot say enough in regards to the support Progent provided us during the most stressful period of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and essential servers back into operation faster than seven days was incredible. Each consultant I got help from or e-mailed at Progent was urgently focused on getting my company operational and was working non-stop to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and prioritize the most important elements that had to be recovered to make it possible to resume departmental functions:
To begin, Progent adhered to Anti-virus event response industry best practices by isolating and cleaning up infected systems. Progent then initiated the task of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí financials and MRP software used Microsoft SQL Server, which requires Active Directory services for access to the database.
- Active Directory
- Microsoft Exchange
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then performed rebuilding and storage recovery on mission critical systems. All Exchange ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to find local OST files (Outlook Off-Line Data Files) on various PCs in order to recover mail information. A recent off-line backup of the customerís accounting/ERP systems made it possible to recover these vital applications back online for users. Although a lot of work was left to recover totally from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."
Over the next month important milestones in the recovery process were made in close collaboration between Progent consultants and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was installed and configured.
- 90% of the user desktops and notebooks were fully operational.
"Much of what occurred in the initial days is mostly a fog for me, but our team will not forget the countless hours each and every one of you accomplished to help get our business back. Iíve utilized Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a stunning achievement."
A possible business-ending disaster was avoided through the efforts of results-oriented professionals, a wide spectrum of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware penetration detailed here should have been identified and disabled with modern security technology and best practices, user training, and properly executed security procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get some sleep after we made it over the initial fire. All of you did an impressive job, and if any of your team is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist