Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Versions of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily unnamed malware, not only do encryption of online files but also infect all configured system restores and backups. Data synchronized to the cloud can also be encrypted. In a vulnerable system, this can render automatic recovery impossible and basically knocks the entire system back to square one.
Recovering applications and data following a ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop the spread and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because crypto-ransomware requires time to replicate, penetrations are often sprung during weekends and nights, when attacks are likely to take longer to detect. This compounds the difficulty of quickly mobilizing and organizing a capable response team.
Progent has a range of support services for securing Eugene enterprises from ransomware events. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security appliances with artificial intelligence capabilities to automatically identify and disable zero-day cyber attacks. Progent in addition offers the assistance of expert ransomware recovery engineers with the track record and commitment to re-deploy a breached network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the keys to decipher all your data. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to re-install the vital components of your Information Technology environment. Absent access to complete data backups, this requires a broad complement of skills, top notch project management, and the ability to work 24x7 until the job is complete.
For decades, Progent has made available professional IT services for businesses across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to knowledgably identify necessary systems and consolidate the remaining pieces of your IT system following a ransomware penetration and rebuild them into a functioning system.
Progent's recovery team of experts has state-of-the-art project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT resources to prioritize tasks and to get the most important services back on line as fast as possible.
Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A business engaged Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, possibly adopting approaches leaked from Americaís NSA organization. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end utilized Progent.
"I canít speak enough in regards to the help Progent provided us throughout the most critical time of (our) businesses existence. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and critical servers back into operation quicker than seven days was incredible. Every single person I talked with or texted at Progent was laser focused on getting us back online and was working 24 by 7 to bail us out."
Progent worked together with the client to quickly understand and assign priority to the critical areas that had to be recovered to make it possible to resume company operations:
To get going, Progent followed ransomware penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of rebuilding Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís financials and MRP applications used SQL Server, which depends on Active Directory services for security authorization to the databases.
- Windows Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then helped perform setup and storage recovery on mission critical servers. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Folder Files) on various PCs in order to recover mail data. A not too old offline backup of the client's manufacturing systems made it possible to restore these essential applications back servicing users. Although major work remained to recover completely from the Ryuk event, the most important services were restored quickly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."
During the following month key milestones in the restoration project were accomplished through close collaboration between Progent engineers and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% functional.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the user desktops were fully operational.
"A lot of what transpired in the initial days is nearly entirely a blur for me, but we will not forget the urgency each of the team put in to give us our company back. I have been working together with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This event was a life saver."
A likely business-killing catastrophe was avoided by hard-working experts, a wide range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus incident detailed here should have been stopped with advanced cyber security technology solutions and recognized best practices, user training, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get rested after we got through the first week. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist