Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that represents an extinction-level threat for organizations vulnerable to an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as frequent unnamed viruses, not only do encryption of online critical data but also infect most configured system restores and backups. Files synchronized to the cloud can also be corrupted. In a poorly architected system, it can render automatic restore operations impossible and basically sets the entire system back to zero.
Recovering programs and data after a crypto-ransomware intrusion becomes a race against time as the victim struggles to contain the damage and clear the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware needs time to spread, attacks are frequently sprung on weekends, when successful penetrations may take longer to uncover. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a range of support services for securing The Woodlands businesses from crypto-ransomware attacks. Among these are team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning capabilities to intelligently identify and quarantine new threats. Progent also offers the services of expert ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to decrypt any of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to re-install the essential parts of your Information Technology environment. Absent access to essential system backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the task is complete.
For twenty years, Progent has made available professional Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience affords Progent the ability to rapidly understand necessary systems and re-organize the surviving pieces of your IT environment after a ransomware event and rebuild them into an operational network.
Progent's security team deploys top notch project management systems to coordinate the complex recovery process. Progent knows the urgency of working swiftly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important services back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Response
A client contacted Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting approaches leaked from the United States National Security Agency. Ryuk goes after specific companies with little ability to sustain disruption and is among the most lucrative iterations of ransomware malware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's system backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.
"I cannot say enough in regards to the help Progent provided us throughout the most fearful period of (our) businesses life. We may have had to pay the cybercriminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and critical servers back into operation quicker than 1 week was something I thought impossible. Each staff member I worked with or messaged at Progent was absolutely committed on getting us restored and was working 24 by 7 to bail us out."
Progent worked hand in hand the customer to rapidly understand and prioritize the most important services that had to be recovered in order to restart departmental operations:
To start, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and disinfecting systems. Progent then initiated the process of recovering Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without Windows AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the data.
- Active Directory (AD)
- Microsoft Exchange Server
In less than two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery of key systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on team workstations to recover email data. A recent off-line backup of the customerís accounting/ERP systems made it possible to restore these essential services back online for users. Although major work needed to be completed to recover totally from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the production line operation never missed a beat and we delivered all customer sales."
During the following month key milestones in the restoration process were completed through close cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were completely functional.
- A new Palo Alto 850 security appliance was deployed.
- Nearly all of the desktops and laptops were functioning as before the incident.
"A huge amount of what went on during the initial response is nearly entirely a blur for me, but we will not forget the dedication all of your team accomplished to help get our company back. I have trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This time was the most impressive ever."
A possible business extinction catastrophe was avoided due to top-tier experts, a broad range of subject matter expertise, and tight teamwork. Although in hindsight the ransomware virus incident described here would have been identified and blocked with up-to-date security technology and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for information protection and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), Iím grateful for letting me get rested after we made it through the initial fire. All of you did an impressive effort, and if anyone is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist