Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an existential danger for businesses vulnerable to an attack. Multiple generations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus additional as yet unnamed newcomers, not only encrypt online critical data but also infiltrate any available system backup. Files replicated to cloud environments can also be ransomed. In a poorly architected system, it can make automated restore operations hopeless and effectively knocks the network back to square one.
Getting back online programs and data following a ransomware event becomes a race against the clock as the targeted organization fights to stop the spread and remove the ransomware and to restore business-critical activity. Because crypto-ransomware takes time to move laterally, penetrations are frequently sprung at night, when attacks typically take longer to discover. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent makes available a variety of solutions for securing Anaheim organizations from ransomware attacks. These include team member training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to identify and suppress zero-day modern malware assaults. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any of your information. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to piece back together the key elements of your IT environment. Absent the availability of complete information backups, this calls for a broad range of skills, top notch project management, and the willingness to work 24x7 until the job is over.
For two decades, Progent has made available professional IT services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and organize the surviving pieces of your Information Technology environment following a ransomware event and rebuild them into an operational system.
Progent's recovery team of experts utilizes state-of-the-art project management systems to orchestrate the complex recovery process. Progent appreciates the importance of acting rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get the most important applications back on-line as fast as possible.
Customer Case Study: A Successful Ransomware Incident Restoration
A client hired Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly using techniques exposed from the U.S. NSA organization. Ryuk goes after specific companies with little or no room for disruption and is one of the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with around 500 employees. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.
"I can't thank you enough in regards to the expertise Progent provided us during the most fearful period of (our) company's life. We most likely would have paid the criminal gangs except for the confidence the Progent experts afforded us. That you could get our e-mail and key servers back into operation in less than a week was beyond my wildest dreams. Every single expert I interacted with or texted at Progent was urgently focused on getting us operational and was working non-stop on our behalf."
Progent worked hand in hand the client to quickly understand and prioritize the key areas that had to be restored to make it possible to continue departmental operations:
To get going, Progent followed ransomware incident response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of bringing back online Microsoft AD, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange email will not work without AD, and the businesses' MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the database.
- Active Directory
- Microsoft Exchange
In less than two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery on critical systems. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Offline Folder Files) on various workstations and laptops to recover mail information. A not too old off-line backup of the businesses accounting/MRP systems made it possible to recover these vital programs back online for users. Although significant work needed to be completed to recover completely from the Ryuk event, core systems were restored rapidly:
"For the most part, the production manufacturing operation was never shut down and we made all customer orders."
Over the following few weeks key milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:
- In-house web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely operational.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user desktops and notebooks were functioning as before the incident.
"A huge amount of what happened in the initial days is mostly a blur for me, but I will not soon forget the dedication each and every one of your team accomplished to give us our business back. I've entrusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."
A likely enterprise-killing disaster was evaded through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus attack described here should have been identified and prevented with modern security technology solutions and best practices, user and IT administrator training, and well designed incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we made it over the most critical parts. All of you did an impressive job, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Anaheim
For ransomware recovery expertise in the Anaheim area, call Progent at 800-462-8800 or go to Contact Progent.