Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for years and still cause damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional as yet unnamed malware, not only encrypt online data files but also infect most configured system backup. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can render automated restore operations impossible and effectively sets the datacenter back to square one.
Retrieving services and data after a ransomware outage becomes a race against time as the targeted business fights to stop the spread and cleanup the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to replicate, assaults are usually launched during weekends and nights, when attacks typically take more time to uncover. This multiplies the difficulty of quickly marshalling and orchestrating a qualified response team.
Progent has an assortment of services for protecting Londrina enterprises from ransomware events. These include team member training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology to rapidly discover and suppress day-zero cyber attacks. Progent in addition can provide the services of veteran ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as soon as possible.
Progent's Ransomware Restoration Support Services
After a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decipher all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The alternative is to setup from scratch the key components of your IT environment. Without the availability of complete data backups, this calls for a wide range of skill sets, top notch project management, and the ability to work continuously until the recovery project is done.
For two decades, Progent has offered professional IT services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to efficiently understand important systems and consolidate the surviving parts of your IT environment after a ransomware event and assemble them into an operational network.
Progent's recovery team of experts uses state-of-the-art project management systems to orchestrate the complicated restoration process. Progent understands the importance of working quickly and in unison with a customer’s management and Information Technology resources to prioritize tasks and to get the most important applications back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Response
A small business hired Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly using techniques exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with limited ability to sustain operational disruption and is among the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.
"I cannot thank you enough about the help Progent gave us throughout the most critical time of (our) businesses life. We most likely would have paid the hackers behind this attack except for the confidence the Progent group provided us. The fact that you could get our e-mail system and essential applications back into operation faster than seven days was beyond my wildest dreams. Every single consultant I talked with or communicated with at Progent was urgently focused on getting us back on-line and was working non-stop to bail us out."
Progent worked with the customer to quickly understand and prioritize the critical areas that had to be addressed to make it possible to resume business operations:
To get going, Progent adhered to Anti-virus event response best practices by halting lateral movement and removing active viruses. Progent then initiated the work of recovering Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the businesses’ MRP applications leveraged Microsoft SQL Server, which depends on Active Directory services for access to the database.
- Active Directory (AD)
- Microsoft Exchange Email
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then performed setup and storage recovery on mission critical applications. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Data Files) on user desktop computers and laptops in order to recover email information. A not too old off-line backup of the client's manufacturing software made it possible to restore these vital programs back available to users. Although a lot of work remained to recover completely from the Ryuk damage, essential systems were recovered quickly:
"For the most part, the production operation was never shut down and we delivered all customer deliverables."
Throughout the following couple of weeks key milestones in the restoration process were made in tight collaboration between Progent consultants and the client:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely operational.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user desktops and notebooks were being used by staff.
"A huge amount of what happened those first few days is mostly a haze for me, but we will not forget the dedication all of you put in to help get our business back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was a life saver."
A possible company-ending catastrophe was evaded due to results-oriented professionals, a broad array of technical expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here should have been identified and disabled with current security solutions and recognized best practices, team education, and appropriate security procedures for information backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it past the first week. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist