Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that poses an existential danger for businesses vulnerable to an attack. Different versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus frequent unnamed viruses, not only encrypt online information but also infiltrate all configured system backup. Files replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automated restore operations impossible and effectively sets the network back to zero.
Recovering programs and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread and remove the virus and to resume enterprise-critical activity. Since crypto-ransomware takes time to spread, assaults are often sprung on weekends, when attacks are likely to take longer to detect. This multiplies the difficulty of quickly mobilizing and coordinating a qualified mitigation team.
Progent provides an assortment of help services for securing Oklahoma CIty enterprises from ransomware attacks. These include team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning technology to automatically detect and extinguish day-zero cyber attacks. Progent in addition provides the services of expert crypto-ransomware recovery professionals with the talent and perseverance to restore a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Following a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to unencrypt any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The other path is to setup from scratch the critical elements of your Information Technology environment. Without the availability of complete data backups, this requires a wide complement of skills, well-coordinated project management, and the willingness to work 24x7 until the task is done.
For two decades, Progent has offered certified expert IT services for companies across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the skills to efficiently ascertain critical systems and re-organize the surviving parts of your Information Technology system following a ransomware attack and configure them into an operational network.
Progent's security group has state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of acting swiftly and together with a client's management and IT staff to prioritize tasks and to get key systems back on line as soon as humanly possible.
Customer Story: A Successful Ransomware Virus Response
A small business escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using techniques leaked from the U.S. NSA organization. Ryuk seeks specific businesses with little or no ability to sustain disruption and is among the most profitable examples of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with around 500 staff members. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the attack and were eventually encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I canít speak enough in regards to the care Progent gave us throughout the most fearful time of (our) companyís life. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent group afforded us. The fact that you could get our e-mail system and essential applications back into operation in less than one week was incredible. Every single expert I got help from or e-mailed at Progent was urgently focused on getting our company operational and was working breakneck pace to bail us out."
Progent worked with the client to rapidly get our arms around and prioritize the key elements that needed to be restored to make it possible to resume business operations:
To begin, Progent followed ransomware penetration response best practices by halting lateral movement and disinfecting systems. Progent then initiated the process of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not work without AD, and the client's accounting and MRP system utilized SQL Server, which requires Active Directory for authentication to the data.
- Active Directory (AD)
- Electronic Messaging
- MRP System
Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then initiated rebuilding and hard drive recovery on mission critical applications. All Microsoft Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on staff PCs and laptops in order to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made them able to recover these essential programs back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer shipments."
During the next month critical milestones in the restoration process were achieved in close cooperation between Progent engineers and the customer:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were completely restored.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user desktops were fully operational.
"So much of what was accomplished in the early hours is mostly a blur for me, but my team will not forget the care each of your team put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."
A probable business catastrophe was dodged through the efforts of dedicated experts, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware virus penetration detailed here should have been prevented with advanced security technology and best practices, team education, and well designed incident response procedures for data backup and proper patching controls, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get some sleep after we got through the first week. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist