Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that poses an existential threat for organizations vulnerable to an assault. Multiple generations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict destruction. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional unnamed newcomers, not only do encryption of on-line data but also infiltrate most configured system backup. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected environment, this can render any restoration hopeless and basically sets the network back to square one.
Getting back online applications and data after a ransomware attack becomes a sprint against time as the targeted business fights to stop the spread and eradicate the crypto-ransomware and to restore business-critical activity. Since ransomware requires time to spread, assaults are often sprung during weekends and nights, when penetrations are likely to take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.
Progent makes available an assortment of services for protecting Los Angeles enterprises from crypto-ransomware events. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning capabilities to rapidly discover and disable zero-day cyber threats. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to re-deploy a breached system as quickly as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the keys to decipher any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The other path is to piece back together the essential components of your Information Technology environment. Without the availability of full information backups, this calls for a wide range of IT skills, professional team management, and the ability to work continuously until the task is over.
For two decades, Progent has provided certified expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise affords Progent the capability to knowledgably ascertain important systems and consolidate the remaining components of your IT environment after a ransomware attack and assemble them into a functioning system.
Progent's ransomware group utilizes powerful project management systems to coordinate the sophisticated recovery process. Progent understands the importance of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential applications back online as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Attack Response
A small business engaged Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, possibly using approaches leaked from the United States NSA organization. Ryuk attacks specific businesses with little tolerance for disruption and is among the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago with about 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and praying for the best, but in the end made the decision to use Progent.
"I cannot tell you enough about the support Progent gave us during the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you were able to get our e-mail system and essential servers back online in less than one week was amazing. Each consultant I spoke to or communicated with at Progent was laser focused on getting us back on-line and was working non-stop to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the critical systems that had to be restored to make it possible to resume business operations:
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the steps of rebuilding Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís financials and MRP system leveraged Microsoft SQL, which requires Active Directory services for access to the database.
- Windows Active Directory
- Exchange Server
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of critical applications. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on team workstations and laptops to recover email messages. A not too old off-line backup of the businesses accounting/ERP systems made them able to return these essential services back online for users. Although significant work remained to recover completely from the Ryuk event, core systems were returned to operations quickly:
"For the most part, the production operation never missed a beat and we delivered all customer sales."
During the next few weeks important milestones in the restoration project were completed through tight cooperation between Progent consultants and the client:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Exchange Server with over 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely restored.
- A new Palo Alto 850 security appliance was deployed.
- 90% of the user desktops and notebooks were being used by staff.
"A lot of what occurred in the early hours is nearly entirely a blur for me, but I will not soon forget the care each of the team put in to help get our company back. Iíve trusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."
A probable business extinction catastrophe was evaded through the efforts of top-tier experts, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the crypto-ransomware attack detailed here would have been identified and disabled with up-to-date security technology solutions and recognized best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we got past the most critical parts. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Los Angeles
For ransomware system restoration consulting services in the Los Angeles metro area, call Progent at 800-462-8800 or go to Contact Progent.