Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses unprepared for an attack. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus frequent unnamed newcomers, not only do encryption of online data but also infiltrate many accessible system restores and backups. Files replicated to the cloud can also be corrupted. In a poorly designed system, it can make automated restore operations impossible and effectively sets the datacenter back to zero.
Getting back on-line applications and data following a ransomware outage becomes a race against the clock as the targeted business fights to contain and eradicate the ransomware and to restore enterprise-critical activity. Because ransomware needs time to replicate, assaults are frequently launched on weekends, when successful attacks typically take more time to uncover. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable response team.
Progent offers a range of services for protecting Downers Grove organizations from ransomware attacks. These include staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security solutions with artificial intelligence capabilities to automatically detect and disable new cyber attacks. Progent in addition can provide the services of seasoned crypto-ransomware recovery professionals with the track record and commitment to restore a breached environment as soon as possible.
Progent's Ransomware Recovery Services
After a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the needed keys to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The alternative is to piece back together the vital parts of your Information Technology environment. Without the availability of essential system backups, this calls for a wide range of skills, well-coordinated team management, and the ability to work continuously until the recovery project is done.
For twenty years, Progent has offered expert IT services for businesses across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to quickly determine necessary systems and integrate the remaining components of your computer network environment after a ransomware event and rebuild them into an operational system.
Progent's ransomware team of experts deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and together with a client's management and IT team members to assign priority to tasks and to get essential services back on-line as fast as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Response
A client contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state hackers, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk targets specific businesses with little room for operational disruption and is among the most lucrative versions of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. Most of the client's backups had been online at the start of the attack and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I cannot say enough in regards to the support Progent gave us during the most stressful period of (our) businesses existence. We would have paid the cybercriminals except for the confidence the Progent group provided us. The fact that you were able to get our messaging and critical servers back sooner than five days was amazing. Every single staff member I got help from or communicated with at Progent was urgently focused on getting us restored and was working day and night on our behalf."
Progent worked together with the client to rapidly identify and assign priority to the essential services that needed to be restored in order to restart company functions:
To begin, Progent adhered to AV/Malware Processes event response industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of restoring Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the client's MRP software utilized SQL Server, which requires Windows AD for authentication to the database.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then initiated setup and storage recovery on needed servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect local OST files (Outlook Email Off-Line Data Files) on team desktop computers to recover mail data. A not too old off-line backup of the customerís financials/MRP systems made them able to restore these required programs back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, essential systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."
Throughout the following couple of weeks critical milestones in the restoration process were made through close collaboration between Progent consultants and the customer:
- Internal web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100% restored.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the user desktops and notebooks were back into operation.
"A lot of what went on in the early hours is mostly a blur for me, but I will not soon forget the care each and every one of your team accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."
A possible enterprise-killing catastrophe was avoided with hard-working experts, a wide array of subject matter expertise, and tight teamwork. Although in hindsight the crypto-ransomware incident described here could have been prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for allowing me to get some sleep after we made it past the initial fire. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist