Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations unprepared for an assault. Different versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, plus daily as yet unnamed viruses, not only encrypt on-line data but also infiltrate all available system protection. Information replicated to cloud environments can also be rendered useless. In a poorly designed environment, it can render any restore operations impossible and basically sets the network back to zero.
Retrieving applications and information following a ransomware event becomes a race against time as the targeted business struggles to contain the damage and eradicate the ransomware and to resume enterprise-critical activity. Since crypto-ransomware requires time to spread, attacks are frequently launched on weekends and holidays, when successful penetrations in many cases take longer to recognize. This multiplies the difficulty of rapidly marshalling and coordinating an experienced response team.
Progent has a variety of support services for protecting Garland businesses from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI technology to automatically identify and suppress day-zero cyber threats. Progent also provides the assistance of seasoned crypto-ransomware recovery professionals with the skills and commitment to restore a compromised environment as soon as possible.
Progent's Ransomware Recovery Support Services
After a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the codes to decrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to piece back together the key parts of your IT environment. Absent the availability of complete data backups, this requires a broad complement of IT skills, top notch project management, and the ability to work continuously until the job is done.
For two decades, Progent has offered expert Information Technology services for companies across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably ascertain necessary systems and organize the remaining parts of your computer network environment following a ransomware attack and assemble them into an operational network.
Progent's recovery group utilizes best of breed project management systems to orchestrate the complex restoration process. Progent knows the urgency of acting quickly and in concert with a client's management and IT resources to prioritize tasks and to get key services back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Penetration Restoration
A client contacted Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, possibly adopting technology exposed from Americaís NSA organization. Ryuk targets specific businesses with little room for operational disruption and is one of the most lucrative incarnations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with around 500 employees. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.
"I cannot thank you enough in regards to the expertise Progent gave us throughout the most fearful period of (our) businesses existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our messaging and important applications back online sooner than one week was earth shattering. Every single staff member I spoke to or e-mailed at Progent was amazingly focused on getting us working again and was working all day and night to bail us out."
Progent worked together with the client to quickly identify and assign priority to the mission critical elements that needed to be addressed in order to restart business functions:
To start, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and disinfecting systems. Progent then began the process of recovering Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí financials and MRP applications leveraged SQL Server, which needs Windows AD for security authorization to the databases.
- Active Directory (AD)
- Electronic Messaging
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of critical systems. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on team workstations to recover mail data. A recent offline backup of the customerís financials/ERP systems made them able to recover these essential applications back on-line. Although a lot of work needed to be completed to recover fully from the Ryuk event, critical systems were recovered quickly:
"For the most part, the production operation survived unscathed and we delivered all customer shipments."
Over the following couple of weeks critical milestones in the restoration project were made in tight cooperation between Progent team members and the client:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Server with over 4 million historical emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Most of the user PCs were being used by staff.
"A huge amount of what went on those first few days is nearly entirely a haze for me, but I will not forget the urgency all of you accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."
A potential business disaster was dodged through the efforts of top-tier professionals, a wide range of IT skills, and tight collaboration. Although in retrospect the ransomware virus attack described here could have been prevented with advanced security technology solutions and security best practices, staff education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we got through the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist