Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses unprepared for an attack. Different versions of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more as yet unnamed newcomers, not only do encryption of online data but also infect many configured system backup. Files synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can render automated recovery useless and effectively sets the datacenter back to square one.
Getting back programs and information after a ransomware outage becomes a race against the clock as the victim struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical operations. Because ransomware needs time to replicate, penetrations are often sprung on weekends and holidays, when successful attacks may take more time to detect. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.
Progent provides a variety of support services for protecting Allentown businesses from ransomware penetrations. These include team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to discover and quarantine day-zero malware assaults. Progent also can provide the services of seasoned ransomware recovery engineers with the skills and commitment to rebuild a compromised network as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decrypt all your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The fallback is to piece back together the key elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of skills, top notch project management, and the willingness to work continuously until the recovery project is completed.
For twenty years, Progent has offered certified expert IT services for companies across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the skills to rapidly determine necessary systems and re-organize the remaining parts of your IT system following a ransomware event and configure them into a functioning network.
Progent's ransomware team of experts has state-of-the-art project management applications to orchestrate the complicated restoration process. Progent understands the importance of working rapidly and in concert with a customer's management and Information Technology team members to prioritize tasks and to get key systems back online as soon as humanly possible.
Customer Story: A Successful Ransomware Virus Restoration
A customer contacted Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, possibly adopting strategies leaked from America's National Security Agency. Ryuk seeks specific companies with little or no tolerance for disruption and is one of the most profitable examples of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the attack and were encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the support Progent gave us during the most critical time of (our) company's life. We most likely would have paid the hackers behind this attack except for the confidence the Progent experts provided us. That you could get our messaging and key applications back into operation in less than five days was something I thought impossible. Every single expert I talked with or messaged at Progent was absolutely committed on getting us working again and was working at all hours on our behalf."
Progent worked together with the customer to quickly understand and assign priority to the most important services that needed to be addressed in order to continue departmental functions:
To start, Progent adhered to AV/Malware Processes event response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of recovering Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businesses' accounting and MRP system leveraged SQL Server, which requires Active Directory services for authentication to the databases.
- Windows Active Directory
- Exchange Server
In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery on the most important servers. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops to recover email messages. A not too old off-line backup of the businesses financials/ERP systems made them able to return these essential programs back servicing users. Although a large amount of work was left to recover totally from the Ryuk damage, the most important systems were recovered quickly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."
During the following month key milestones in the restoration project were made through close cooperation between Progent consultants and the client:
- In-house web sites were brought back up without losing any information.
- The MailStore Exchange Server with over four million historical emails was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the desktop computers were being used by staff.
"A lot of what was accomplished during the initial response is nearly entirely a blur for me, but my management will not forget the countless hours each of you accomplished to give us our company back. I've been working with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."
A likely business-killing disaster was evaded by hard-working professionals, a wide array of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus attack detailed here could have been identified and prevented with advanced cyber security technology and security best practices, team training, and well designed incident response procedures for data backup and applying software patches, the fact is that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has proven experience in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), I'm grateful for letting me get some sleep after we made it past the initial fire. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Allentown
For ransomware recovery consulting in the Allentown area, phone Progent at 800-462-8800 or go to Contact Progent.