Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses unprepared for an attack. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus more unnamed viruses, not only encrypt online files but also infect all configured system protection. Files synched to cloud environments can also be corrupted. In a poorly architected environment, this can render any recovery impossible and effectively knocks the entire system back to zero.
Getting back online services and data after a ransomware outage becomes a race against time as the victim fights to stop lateral movement and remove the ransomware and to restore business-critical operations. Because ransomware requires time to replicate, penetrations are usually launched during nights and weekends, when successful attacks may take more time to uncover. This compounds the difficulty of promptly assembling and orchestrating an experienced mitigation team.
Progent offers a variety of help services for protecting Glendale businesses from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security appliances with machine learning technology to quickly discover and suppress day-zero cyber attacks. Progent also provides the assistance of seasoned crypto-ransomware recovery consultants with the track record and perseverance to rebuild a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The fallback is to piece back together the critical parts of your Information Technology environment. Absent access to essential information backups, this requires a wide range of skill sets, top notch project management, and the capability to work continuously until the job is finished.
For two decades, Progent has made available professional Information Technology services for companies across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise affords Progent the skills to quickly ascertain necessary systems and consolidate the remaining parts of your IT system after a crypto-ransomware attack and assemble them into an operational system.
Progent's security team of experts uses powerful project management tools to coordinate the complex recovery process. Progent understands the importance of working quickly and in unison with a customerís management and Information Technology staff to prioritize tasks and to get critical services back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, suspected of using approaches exposed from the United States NSA organization. Ryuk targets specific companies with limited ability to sustain operational disruption and is among the most lucrative versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.
"I cannot tell you enough about the expertise Progent gave us during the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and production applications back on-line quicker than five days was beyond my wildest dreams. Each person I interacted with or communicated with at Progent was amazingly focused on getting us working again and was working 24 by 7 to bail us out."
Progent worked with the client to quickly determine and prioritize the essential areas that had to be recovered to make it possible to resume company functions:
To begin, Progent followed ransomware incident response industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then began the process of rebuilding Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís MRP applications utilized Microsoft SQL, which needs Windows AD for security authorization to the information.
- Active Directory (AD)
In less than 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed setup and storage recovery on critical servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Off-Line Data Files) on various desktop computers to recover email data. A recent off-line backup of the customerís accounting software made them able to recover these required applications back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical services were returned to operations rapidly:
"For the most part, the production operation ran fairly normal throughout and we made all customer shipments."
Throughout the next few weeks key milestones in the restoration project were achieved in tight cooperation between Progent engineers and the customer:
- Internal web sites were brought back up without losing any data.
- The MailStore Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was set up and programmed.
- Most of the user workstations were functioning as before the incident.
"Much of what occurred in the early hours is nearly entirely a blur for me, but we will not forget the care each and every one of you accomplished to give us our company back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a testament to your capabilities."
A potential business extinction catastrophe was dodged by dedicated experts, a wide spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here would have been blocked with advanced cyber security systems and recognized best practices, user and IT administrator education, and appropriate security procedures for information backup and applying software patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get some sleep after we made it past the initial push. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist