Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as additional unnamed newcomers, not only do encryption of online data but also infiltrate any configured system restores and backups. Information synchronized to the cloud can also be corrupted. In a poorly architected environment, it can make any restoration useless and effectively sets the network back to zero.
Recovering services and data after a ransomware attack becomes a race against the clock as the targeted business fights to contain and eradicate the crypto-ransomware and to restore enterprise-critical operations. Since ransomware requires time to spread, penetrations are frequently launched on weekends, when penetrations typically take longer to discover. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent offers a range of solutions for securing Schaumburg businesses from crypto-ransomware penetrations. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security appliances with machine learning capabilities to intelligently identify and suppress day-zero cyber threats. Progent also provides the services of seasoned ransomware recovery engineers with the talent and commitment to restore a compromised network as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to re-install the essential parts of your Information Technology environment. Without the availability of full data backups, this calls for a wide complement of skill sets, professional project management, and the ability to work continuously until the job is finished.
For twenty years, Progent has provided professional IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise gives Progent the ability to quickly understand important systems and integrate the remaining components of your computer network environment after a crypto-ransomware event and assemble them into a functioning network.
Progent's ransomware team of experts has state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and IT team members to prioritize tasks and to put critical services back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A business engaged Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited tolerance for operational disruption and is among the most lucrative iterations of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
"I cannot speak enough in regards to the expertise Progent provided us during the most stressful time of (our) companyís survival. We may have had to pay the criminal gangs if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and production applications back online faster than seven days was beyond my wildest dreams. Each person I talked with or e-mailed at Progent was absolutely committed on getting our company operational and was working 24/7 on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the essential services that needed to be addressed in order to resume company operations:
To begin, Progent adhered to AV/Malware Processes incident response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businessesí accounting and MRP system leveraged SQL Server, which requires Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Microsoft Exchange
- MRP System
In less than two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then performed setup and storage recovery on mission critical applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various workstations in order to recover mail data. A not too old off-line backup of the businesses accounting systems made it possible to restore these essential services back online. Although a lot of work needed to be completed to recover totally from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the production operation never missed a beat and we did not miss any customer deliverables."
Over the following few weeks critical milestones in the restoration process were accomplished in close collaboration between Progent team members and the client:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory modules were 100% restored.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the user PCs were operational.
"A lot of what transpired in the early hours is nearly entirely a fog for me, but my management will not forget the countless hours each of your team put in to help get our company back. Iíve entrusted Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was a Herculean accomplishment."
A probable business-killing disaster was dodged by dedicated experts, a wide array of technical expertise, and tight collaboration. Although in post mortem the ransomware virus incident described here could have been identified and prevented with modern security technology and best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for letting me get rested after we got over the initial push. All of you did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist