Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for organizations unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as more unnamed newcomers, not only encrypt on-line information but also infiltrate most accessible system protection. Information synched to cloud environments can also be ransomed. In a poorly designed environment, it can render automated restoration hopeless and basically sets the entire system back to square one.
Recovering services and information after a ransomware outage becomes a race against the clock as the targeted organization tries its best to contain and remove the ransomware and to restore business-critical operations. Since crypto-ransomware takes time to move laterally, assaults are usually sprung on weekends and holidays, when successful penetrations in many cases take longer to notice. This compounds the difficulty of rapidly assembling and coordinating an experienced mitigation team.
Progent provides a range of services for securing Cheyenne enterprises from ransomware events. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence technology to intelligently discover and quarantine zero-day cyber attacks. Progent also provides the services of veteran ransomware recovery engineers with the skills and perseverance to reconstruct a compromised environment as soon as possible.
Progent's Ransomware Recovery Help
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to decipher any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to setup from scratch the vital elements of your IT environment. Absent the availability of complete system backups, this calls for a wide range of IT skills, top notch project management, and the willingness to work non-stop until the task is finished.
For two decades, Progent has provided expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience provides Progent the capability to efficiently determine critical systems and organize the surviving pieces of your IT system following a ransomware penetration and assemble them into a functioning system.
Progent's recovery team uses best of breed project management tools to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to put essential systems back on-line as soon as possible.
Client Story: A Successful Ransomware Incident Restoration
A small business hired Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little ability to sustain disruption and is among the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 staff members. The Ryuk event had frozen all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately utilized Progent.
"I canít tell you enough in regards to the help Progent provided us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts provided us. That you were able to get our e-mail and important servers back into operation sooner than seven days was beyond my wildest dreams. Every single expert I spoke to or communicated with at Progent was laser focused on getting us restored and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the critical services that had to be addressed in order to continue business operations:
To get going, Progent followed Anti-virus event mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the process of recovering Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the businessesí financials and MRP applications utilized SQL Server, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- MRP System
In less than two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery on essential servers. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover email messages. A recent offline backup of the client's financials/MRP software made them able to return these essential programs back online. Although a large amount of work remained to recover completely from the Ryuk damage, critical systems were recovered rapidly:
"For the most part, the production operation was never shut down and we made all customer shipments."
During the following couple of weeks critical milestones in the recovery project were completed through close collaboration between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Server exceeding 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the desktops and laptops were functioning as before the incident.
"A huge amount of what occurred during the initial response is nearly entirely a fog for me, but my management will not soon forget the dedication each and every one of you accomplished to give us our company back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a Herculean accomplishment."
A likely business-killing disaster was evaded through the efforts of dedicated experts, a broad array of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware penetration described here would have been identified and stopped with modern cyber security systems and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for allowing me to get rested after we got through the initial push. All of you did an impressive effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist