Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for organizations poorly prepared for an attack. Versions of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, plus more unnamed newcomers, not only encrypt on-line data but also infect many available system backup. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can make automated restore operations impossible and effectively sets the entire system back to square one.
Getting back on-line services and data following a ransomware intrusion becomes a sprint against time as the victim struggles to contain the damage and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware takes time to replicate, assaults are often launched during weekends and nights, when successful penetrations tend to take more time to detect. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent offers an assortment of services for securing enterprises from ransomware events. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence capabilities to automatically identify and suppress zero-day threats. Progent also can provide the assistance of expert ransomware recovery engineers with the track record and perseverance to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will respond with the keys to unencrypt any of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to re-install the essential elements of your IT environment. Absent the availability of complete data backups, this requires a wide range of skills, professional project management, and the capability to work non-stop until the job is finished.
For twenty years, Progent has provided expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably ascertain critical systems and consolidate the remaining components of your Information Technology system following a crypto-ransomware attack and assemble them into an operational network.
Progent's recovery team utilizes state-of-the-art project management applications to coordinate the complex restoration process. Progent understands the importance of working quickly and in concert with a customerís management and Information Technology team members to prioritize tasks and to put key systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A small business contacted Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting approaches leaked from Americaís NSA organization. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I canít speak enough about the help Progent provided us during the most critical period of (our) companyís life. We may have had to pay the criminal gangs except for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and key applications back sooner than seven days was beyond my wildest dreams. Each staff member I interacted with or communicated with at Progent was amazingly focused on getting us back on-line and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to quickly determine and assign priority to the mission critical areas that had to be recovered in order to resume business operations:
To begin, Progent followed ransomware incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then started the task of bringing back online Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not function without AD, and the client's MRP applications utilized SQL Server, which depends on Active Directory for authentication to the database.
- Microsoft Active Directory
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed rebuilding and hard drive recovery on mission critical applications. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Offline Folder Files) on team workstations and laptops in order to recover email messages. A recent offline backup of the client's financials/MRP software made it possible to restore these required services back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk damage, core services were recovered rapidly:
"For the most part, the production line operation never missed a beat and we made all customer sales."
Throughout the following few weeks important milestones in the restoration project were accomplished through close cooperation between Progent engineers and the client:
- In-house web sites were restored without losing any information.
- The MailStore Server exceeding 4 million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% restored.
- A new Palo Alto Networks 850 security appliance was installed.
- 90% of the user workstations were being used by staff.
"Much of what went on those first few days is mostly a fog for me, but my team will not forget the dedication each and every one of your team accomplished to give us our company back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A possible enterprise-killing catastrophe was avoided due to hard-working experts, a wide spectrum of knowledge, and close teamwork. Although in hindsight the ransomware attack described here could have been prevented with modern security technology solutions and recognized best practices, staff training, and properly executed incident response procedures for information backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), Iím grateful for making it so I could get some sleep after we got past the first week. Everyone did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Crypto-Ransomware Remediation Expertise
For 24/7 ransomware remediation services, reach out to Progent at 800-993-9400 or go to Contact Progent.