Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an extinction-level danger for organizations unprepared for an attack. Different versions of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, as well as additional unnamed newcomers, not only do encryption of online files but also infiltrate many available system backups. Information replicated to cloud environments can also be ransomed. In a poorly designed environment, this can make automatic restoration impossible and basically sets the datacenter back to zero.
Getting back applications and information following a ransomware outage becomes a race against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume business-critical activity. Due to the fact that ransomware needs time to spread, penetrations are often launched on weekends and holidays, when attacks are likely to take more time to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.
Progent makes available a range of help services for protecting Florianópolis organizations from crypto-ransomware attacks. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence technology to quickly identify and quarantine zero-day threats. Progent in addition provides the services of expert ransomware recovery engineers with the skills and perseverance to reconstruct a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the codes to unencrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the essential parts of your IT environment. Absent the availability of full data backups, this requires a broad complement of skills, well-coordinated project management, and the ability to work 24x7 until the job is over.
For two decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the skills to quickly determine critical systems and organize the remaining pieces of your network system following a ransomware penetration and configure them into an operational system.
Progent's ransomware team utilizes state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of working rapidly and in unison with a customer’s management and IT staff to prioritize tasks and to put the most important systems back on-line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Response
A customer hired Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, suspected of using strategies leaked from the United States National Security Agency. Ryuk targets specific businesses with limited ability to sustain operational disruption and is among the most profitable examples of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago with about 500 workers. The Ryuk attack had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.
"I cannot tell you enough about the expertise Progent provided us during the most critical time of (our) company’s life. We most likely would have paid the Hackers if it wasn’t for the confidence the Progent team gave us. That you were able to get our e-mail system and production applications back online faster than a week was amazing. Each expert I worked with or texted at Progent was laser focused on getting us back on-line and was working 24 by 7 to bail us out."
Progent worked with the customer to quickly get our arms around and assign priority to the critical applications that had to be restored to make it possible to restart business operations:
To start, Progent adhered to Anti-virus penetration response best practices by stopping the spread and removing active viruses. Progent then initiated the steps of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the businesses’ MRP system used Microsoft SQL Server, which needs Active Directory services for access to the databases.
- Microsoft Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on mission critical applications. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops to recover mail data. A not too old off-line backup of the customer’s accounting systems made them able to recover these vital applications back on-line. Although a lot of work was left to recover totally from the Ryuk attack, core services were recovered quickly:
"For the most part, the production line operation never missed a beat and we produced all customer sales."
During the next month important milestones in the restoration process were accomplished through tight cooperation between Progent engineers and the customer:
- Internal web sites were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the user desktops and notebooks were being used by staff.
"So much of what occurred in the early hours is nearly entirely a haze for me, but I will not forget the care each and every one of your team accomplished to give us our company back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was a life saver."
A probable business-killing disaster was dodged by hard-working experts, a wide spectrum of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware virus penetration described here could have been identified and blocked with advanced security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed security procedures for backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I’m grateful for letting me get rested after we got through the first week. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist