Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and still cause havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more as yet unnamed malware, not only encrypt online critical data but also infect any available system restores and backups. Data synched to the cloud can also be corrupted. In a poorly designed environment, it can make automatic recovery useless and effectively knocks the network back to square one.
Getting back programs and information following a ransomware intrusion becomes a sprint against time as the targeted business fights to stop lateral movement and clear the ransomware and to resume business-critical activity. Because ransomware needs time to replicate, assaults are usually launched at night, when successful attacks may take longer to recognize. This compounds the difficulty of rapidly marshalling and orchestrating a capable response team.
Progent offers a variety of support services for securing Albany businesses from crypto-ransomware attacks. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat protection to discover and suppress zero-day malware assaults. Progent also offers the services of expert crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a breached network as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt any of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to piece back together the vital parts of your IT environment. Without access to complete information backups, this requires a broad complement of IT skills, professional project management, and the willingness to work non-stop until the job is done.
For twenty years, Progent has provided certified expert IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the ability to quickly understand critical systems and integrate the surviving pieces of your Information Technology environment following a crypto-ransomware attack and rebuild them into a functioning network.
Progent's security group utilizes best of breed project management applications to orchestrate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a client's management and IT resources to prioritize tasks and to put key systems back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Virus Recovery
A customer hired Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is one of the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end engaged Progent.
"I can't speak enough in regards to the care Progent gave us throughout the most critical period of (our) company's survival. We would have paid the cyber criminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and critical servers back into operation faster than five days was amazing. Every single staff member I talked with or messaged at Progent was totally committed on getting my company operational and was working all day and night on our behalf."
Progent worked hand in hand the client to rapidly identify and assign priority to the most important services that had to be restored to make it possible to continue business operations:
To get going, Progent followed ransomware penetration mitigation best practices by stopping the spread and disinfecting systems. Progent then started the process of recovering Windows Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the businesses' financials and MRP software leveraged SQL Server, which depends on Windows AD for access to the databases.
- Active Directory (AD)
- Electronic Mail
In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery on critical systems. All Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Folder Files) on various desktop computers and laptops to recover email information. A recent offline backup of the businesses financials/ERP systems made them able to return these vital programs back on-line. Although a large amount of work was left to recover totally from the Ryuk virus, critical services were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer shipments."
Throughout the following couple of weeks important milestones in the recovery process were achieved in tight cooperation between Progent team members and the customer:
- In-house web applications were brought back up with no loss of information.
- The MailStore Server with over four million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory modules were completely recovered.
- A new Palo Alto 850 security appliance was brought on-line.
- Ninety percent of the user PCs were fully operational.
"A huge amount of what transpired in the early hours is mostly a blur for me, but my team will not soon forget the commitment each and every one of the team put in to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."
A likely enterprise-killing catastrophe was dodged with hard-working experts, a wide range of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware incident detailed here would have been identified and disabled with current security technology and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it through the initial fire. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Albany
For ransomware recovery consulting in the Albany metro area, call Progent at 800-462-8800 or go to Contact Progent.