Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with more unnamed malware, not only encrypt on-line files but also infiltrate many accessible system restores and backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can make automatic restore operations hopeless and effectively sets the network back to zero.
Retrieving applications and information following a crypto-ransomware event becomes a race against time as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to resume business-critical operations. Because crypto-ransomware needs time to replicate, assaults are frequently launched during nights and weekends, when successful attacks may take longer to uncover. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.
Progent provides a range of help services for securing Allentown enterprises from ransomware attacks. Among these are team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat protection to detect and extinguish zero-day modern malware attacks. Progent in addition can provide the assistance of expert crypto-ransomware recovery engineers with the talent and commitment to restore a compromised environment as soon as possible.
Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to piece back together the essential components of your IT environment. Absent access to complete system backups, this requires a broad range of skill sets, well-coordinated team management, and the capability to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the ability to quickly ascertain important systems and re-organize the remaining components of your IT system following a ransomware event and configure them into an operational network.
Progent's ransomware team uses best of breed project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and together with a customer's management and Information Technology team members to assign priority to tasks and to put critical systems back online as fast as possible.
Customer Case Study: A Successful Ransomware Incident Response
A client engaged Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, possibly using algorithms leaked from America's NSA organization. Ryuk targets specific companies with little ability to sustain disruption and is one of the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.
"I cannot say enough in regards to the help Progent gave us throughout the most fearful period of (our) company's life. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent team gave us. The fact that you could get our e-mail and essential servers back on-line sooner than 1 week was something I thought impossible. Every single staff member I got help from or e-mailed at Progent was absolutely committed on getting our system up and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly understand and prioritize the key areas that needed to be addressed in order to restart departmental functions:
To start, Progent followed Anti-virus event mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the steps of rebuilding Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customer's MRP applications used SQL Server, which needs Active Directory services for access to the data.
- Active Directory
- Electronic Messaging
- MRP System
Within 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery on critical applications. All Exchange Server schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team workstations in order to recover mail messages. A not too old off-line backup of the client's manufacturing software made it possible to recover these required applications back available to users. Although significant work was left to recover fully from the Ryuk damage, essential systems were recovered rapidly:
"For the most part, the assembly line operation was never shut down and we made all customer deliverables."
Over the next month important milestones in the recovery project were made in close collaboration between Progent consultants and the client:
- In-house web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were fully functional.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the user workstations were being used by staff.
"Much of what was accomplished during the initial response is nearly entirely a blur for me, but we will not soon forget the care each of you accomplished to give us our business back. I've entrusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered. This situation was the most impressive ever."
A likely business-ending catastrophe was avoided through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware attack described here would have been identified and blocked with up-to-date security solutions and recognized best practices, team training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get rested after we got past the most critical parts. All of you did an amazing job, and if any of your guys is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Allentown
For ransomware system recovery consulting in the Allentown area, phone Progent at 800-462-8800 or see Contact Progent.