Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus frequent unnamed malware, not only encrypt on-line information but also infiltrate many accessible system restores and backups. Information synchronized to the cloud can also be encrypted. In a vulnerable system, it can make automated recovery useless and effectively knocks the datacenter back to zero.
Getting back on-line applications and data following a crypto-ransomware attack becomes a race against time as the targeted organization fights to stop the spread and eradicate the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware requires time to spread, assaults are often sprung on weekends, when penetrations typically take more time to discover. This multiplies the difficulty of rapidly assembling and coordinating a qualified response team.
Progent makes available an assortment of help services for securing Mesa organizations from ransomware attacks. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with AI capabilities to automatically discover and extinguish day-zero cyber threats. Progent in addition provides the assistance of experienced ransomware recovery engineers with the track record and commitment to restore a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to decrypt all your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The fallback is to setup from scratch the essential components of your Information Technology environment. Absent access to essential data backups, this requires a wide range of IT skills, top notch team management, and the capability to work continuously until the recovery project is finished.
For two decades, Progent has offered professional Information Technology services for companies throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of experience affords Progent the capability to efficiently determine necessary systems and integrate the surviving pieces of your Information Technology system following a ransomware event and rebuild them into an operational system.
Progent's recovery team of experts utilizes powerful project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get critical services back online as fast as possible.
Case Study: A Successful Ransomware Attack Recovery
A small business escalated to Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state criminal gangs, suspected of using algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has around 500 employees. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's information backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.
"I cannot speak enough in regards to the help Progent provided us throughout the most fearful time of (our) companyís survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical servers back sooner than seven days was something I thought impossible. Every single expert I spoke to or e-mailed at Progent was hell bent on getting our company operational and was working day and night to bail us out."
Progent worked hand in hand the customer to rapidly determine and assign priority to the mission critical elements that had to be addressed to make it possible to restart company operations:
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and cleaning up infected systems. Progent then started the process of recovering Microsoft AD, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's accounting and MRP applications leveraged SQL Server, which depends on Active Directory services for security authorization to the databases.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then completed setup and storage recovery on needed servers. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on staff PCs and laptops in order to recover mail data. A not too old offline backup of the customerís accounting systems made it possible to restore these vital applications back online. Although a large amount of work was left to recover totally from the Ryuk event, the most important services were restored quickly:
"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer orders."
Over the following few weeks important milestones in the restoration project were made in close cooperation between Progent consultants and the customer:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Server exceeding four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were completely restored.
- A new Palo Alto 850 security appliance was set up and programmed.
- Nearly all of the user workstations were fully operational.
"So much of what was accomplished that first week is nearly entirely a blur for me, but our team will not forget the urgency all of the team put in to give us our business back. Iíve entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a stunning achievement."
A possible company-ending catastrophe was dodged by dedicated professionals, a wide range of knowledge, and close collaboration. Although in post mortem the ransomware virus attack described here would have been disabled with advanced security solutions and recognized best practices, user and IT administrator training, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thank you for allowing me to get rested after we made it over the first week. All of you did an incredible effort, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Mesa
For ransomware system recovery expertise in the Mesa area, phone Progent at 800-462-8800 or visit Contact Progent.