Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Different versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still inflict havoc. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily unnamed malware, not only encrypt on-line information but also infiltrate most configured system backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can render any restoration useless and basically knocks the entire system back to zero.
Getting back applications and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted business struggles to stop lateral movement and cleanup the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often sprung on weekends and holidays, when successful penetrations in many cases take more time to uncover. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent offers a range of help services for protecting Shreveport businesses from ransomware events. Among these are staff training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security gateways with artificial intelligence technology to intelligently detect and suppress zero-day cyber attacks. Progent in addition can provide the services of expert crypto-ransomware recovery consultants with the talent and commitment to restore a breached environment as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to decipher all your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The other path is to re-install the mission-critical components of your IT environment. Absent the availability of essential information backups, this requires a broad range of skills, well-coordinated team management, and the willingness to work continuously until the task is completed.
For decades, Progent has offered professional IT services for businesses across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience affords Progent the ability to rapidly ascertain important systems and re-organize the remaining pieces of your computer network environment following a ransomware penetration and configure them into an operational system.
Progent's ransomware team has best of breed project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and in unison with a customerís management and Information Technology resources to prioritize tasks and to get the most important services back on-line as fast as humanly possible.
Customer Story: A Successful Ransomware Virus Response
A customer hired Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored criminal gangs, possibly adopting techniques exposed from Americaís National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most lucrative iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk penetration had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end utilized Progent.
"I canít speak enough in regards to the expertise Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the cybercriminals if not for the confidence the Progent team gave us. That you were able to get our e-mail system and essential applications back into operation faster than five days was amazing. Each person I worked with or communicated with at Progent was hell bent on getting my company operational and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the most important services that needed to be recovered in order to resume company operations:
To get going, Progent adhered to Anti-virus penetration response industry best practices by isolating and cleaning systems of viruses. Progent then started the work of bringing back online Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the client's MRP software utilized Microsoft SQL Server, which requires Active Directory for security authorization to the information.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery on the most important systems. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on staff workstations to recover email data. A not too old offline backup of the client's accounting software made them able to recover these essential applications back on-line. Although major work still had to be done to recover completely from the Ryuk attack, the most important systems were restored quickly:
"For the most part, the assembly line operation survived unscathed and we made all customer sales."
During the next month important milestones in the recovery project were accomplished through close cooperation between Progent engineers and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Exchange Server with over four million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory functions were 100 percent operational.
- A new Palo Alto 850 security appliance was set up and programmed.
- Nearly all of the user PCs were back into operation.
"A lot of what happened during the initial response is mostly a haze for me, but I will not soon forget the commitment each of you put in to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A likely company-ending disaster was evaded due to hard-working experts, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here could have been identified and stopped with up-to-date cyber security technology and recognized best practices, user and IT administrator training, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for allowing me to get rested after we made it over the first week. All of you did an incredible effort, and if any of your team is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist