Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes unprepared for an attack. Versions of ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still cause havoc. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with additional as yet unnamed newcomers, not only encrypt online critical data but also infiltrate any accessible system protection. Information synchronized to the cloud can also be ransomed. In a poorly designed system, this can make automated restore operations impossible and effectively sets the entire system back to square one.
Getting back on-line applications and data following a ransomware attack becomes a sprint against the clock as the targeted business struggles to stop lateral movement and cleanup the virus and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to spread, assaults are frequently launched on weekends, when attacks typically take more time to discover. This compounds the difficulty of rapidly marshalling and organizing a capable response team.
Progent offers a variety of help services for protecting Fort Worth businesses from ransomware attacks. Among these are staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with artificial intelligence technology to automatically identify and extinguish new cyber attacks. Progent also offers the assistance of veteran crypto-ransomware recovery consultants with the skills and commitment to restore a breached network as urgently as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that distant criminals will provide the keys to decrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The other path is to setup from scratch the key elements of your IT environment. Without access to complete information backups, this calls for a wide complement of IT skills, professional team management, and the willingness to work 24x7 until the job is finished.
For twenty years, Progent has made available professional IT services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise provides Progent the capability to efficiently understand critical systems and consolidate the remaining components of your computer network system after a ransomware attack and assemble them into a functioning network.
Progent's ransomware team has powerful project management applications to orchestrate the complicated restoration process. Progent knows the importance of working quickly and in concert with a customerís management and IT team members to prioritize tasks and to put key applications back online as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A business hired Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly using algorithms leaked from the U.S. NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is one of the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with around 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end engaged Progent.
"I canít speak enough in regards to the help Progent gave us during the most fearful period of (our) companyís survival. We would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and critical servers back on-line sooner than five days was incredible. Every single expert I spoke to or texted at Progent was urgently focused on getting us working again and was working 24/7 on our behalf."
Progent worked hand in hand the customer to quickly assess and assign priority to the critical systems that had to be restored to make it possible to continue business functions:
To start, Progent followed ransomware incident response best practices by halting the spread and clearing up compromised systems. Progent then began the task of restoring Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the customerís MRP system used SQL Server, which depends on Windows AD for access to the database.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of key servers. All Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover email messages. A recent off-line backup of the customerís manufacturing software made it possible to recover these required services back on-line. Although a large amount of work remained to recover completely from the Ryuk attack, critical services were recovered quickly:
"For the most part, the production operation showed little impact and we produced all customer shipments."
Over the following month critical milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were completely restored.
- A new Palo Alto 850 security appliance was installed.
- Ninety percent of the user desktops and notebooks were operational.
"Much of what occurred those first few days is nearly entirely a haze for me, but my team will not soon forget the countless hours all of you put in to help get our company back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A probable enterprise-killing disaster was evaded through the efforts of dedicated professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been disabled with advanced security technology solutions and recognized best practices, user and IT administrator education, and well designed incident response procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for letting me get some sleep after we got through the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist