Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for organizations unprepared for an attack. Versions of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, as well as daily as yet unnamed newcomers, not only encrypt on-line data files but also infect many available system backup. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can render automated recovery impossible and basically sets the datacenter back to square one.
Getting back programs and data following a ransomware attack becomes a race against the clock as the victim struggles to contain the damage and remove the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to replicate, attacks are frequently launched at night, when penetrations are likely to take more time to detect. This compounds the difficulty of promptly assembling and coordinating a qualified mitigation team.
Progent has a variety of solutions for protecting Adelaide enterprises from ransomware penetrations. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with machine learning technology to rapidly identify and suppress new cyber attacks. Progent also provides the assistance of experienced ransomware recovery engineers with the skills and perseverance to restore a compromised system as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the keys to unencrypt any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to piece back together the mission-critical elements of your IT environment. Without the availability of complete information backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the task is finished.
For decades, Progent has provided certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience affords Progent the ability to rapidly identify critical systems and consolidate the surviving pieces of your network environment following a crypto-ransomware event and configure them into an operational network.
Progent's recovery group deploys powerful project management systems to orchestrate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put critical applications back online as fast as possible.
Case Study: A Successful Ransomware Virus Response
A customer hired Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using technology exposed from Americaís National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative versions of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk event had brought down all company operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for good luck, but in the end called Progent.
"I canít tell you enough about the care Progent gave us during the most stressful period of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent team afforded us. The fact that you could get our messaging and key servers back online sooner than five days was incredible. Each consultant I got help from or messaged at Progent was laser focused on getting us operational and was working all day and night on our behalf."
Progent worked with the customer to quickly get our arms around and assign priority to the key elements that had to be recovered in order to restart business operations:
To get going, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the work of restoring Windows Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customerís accounting and MRP system used Microsoft SQL Server, which needs Active Directory for security authorization to the data.
- Active Directory (AD)
- Microsoft Exchange
Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on essential systems. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on staff workstations and laptops in order to recover mail information. A recent off-line backup of the client's manufacturing systems made it possible to return these essential applications back on-line. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the assembly line operation never missed a beat and we did not miss any customer orders."
Over the next couple of weeks key milestones in the restoration process were achieved in close cooperation between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 firewall was set up.
- Most of the user PCs were functioning as before the incident.
"A huge amount of what happened in the early hours is mostly a fog for me, but our team will not forget the care each and every one of the team put in to help get our business back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This event was no exception but maybe more Herculean."
A potential business disaster was evaded by results-oriented experts, a broad array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware incident detailed here would have been disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, staff education, and well designed security procedures for information protection and applying software patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for making it so I could get rested after we got through the most critical parts. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist