Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, along with additional as yet unnamed malware, not only encrypt online critical data but also infect most configured system backup. Files synched to cloud environments can also be ransomed. In a poorly architected environment, it can make automated recovery useless and effectively sets the entire system back to square one.
Retrieving services and data after a ransomware outage becomes a race against the clock as the targeted organization fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Because ransomware requires time to replicate, attacks are frequently sprung at night, when successful attacks typically take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.
Progent makes available a range of services for protecting Uberlândia businesses from ransomware penetrations. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with artificial intelligence technology to automatically detect and suppress day-zero cyber threats. Progent in addition provides the assistance of expert ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to unencrypt any of your information. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The other path is to re-install the critical elements of your IT environment. Absent access to complete system backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work non-stop until the job is finished.
For two decades, Progent has made available professional IT services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the ability to efficiently determine critical systems and re-organize the surviving parts of your IT system following a ransomware attack and assemble them into a functioning network.
Progent's ransomware team of experts has powerful project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to get the most important applications back online as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Virus Restoration
A business hired Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored criminal gangs, suspected of using techniques exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with little or no room for disruption and is one of the most profitable examples of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the attack and were encrypted. The client considered paying the ransom (in excess of $200K) and hoping for good luck, but ultimately engaged Progent.
"I cannot speak enough in regards to the care Progent provided us during the most critical time of (our) businesses life. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts provided us. That you were able to get our e-mail and production applications back into operation sooner than seven days was earth shattering. Every single staff member I got help from or e-mailed at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked with the customer to rapidly understand and assign priority to the mission critical elements that needed to be recovered to make it possible to resume business functions:
To get going, Progent adhered to ransomware penetration mitigation industry best practices by isolating and disinfecting systems. Progent then began the process of recovering Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Exchange messaging will not function without Active Directory, and the customer’s financials and MRP software leveraged SQL Server, which requires Active Directory for authentication to the databases.
- Active Directory (AD)
- MRP System
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of the most important systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST data files (Outlook Offline Folder Files) on team desktop computers and laptops in order to recover mail information. A recent offline backup of the customer’s financials/ERP software made them able to return these essential applications back online. Although a large amount of work was left to recover completely from the Ryuk virus, critical systems were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we produced all customer orders."
During the next couple of weeks key milestones in the restoration process were achieved in tight cooperation between Progent engineers and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Server containing more than four million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely recovered.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Ninety percent of the desktops and laptops were fully operational.
"A lot of what occurred that first week is mostly a fog for me, but my team will not soon forget the dedication each of you put in to help get our company back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was a life saver."
A probable business-killing catastrophe was averted by top-tier experts, a broad array of subject matter expertise, and close collaboration. Although in retrospect the crypto-ransomware penetration detailed here should have been identified and disabled with current cyber security solutions and security best practices, user training, and appropriate incident response procedures for data protection and applying software patches, the fact is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got through the initial fire. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist