Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with daily as yet unnamed viruses, not only do encryption of online files but also infiltrate many accessible system backup. Files replicated to cloud environments can also be ransomed. In a poorly architected environment, this can render any restore operations useless and effectively knocks the datacenter back to square one.
Recovering programs and data following a ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement and eradicate the ransomware and to resume mission-critical activity. Because ransomware takes time to move laterally, attacks are often sprung on weekends and holidays, when penetrations are likely to take longer to detect. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.
Progent makes available a variety of solutions for securing Arlington businesses from ransomware penetrations. Among these are team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with machine learning technology to quickly identify and extinguish new threats. Progent in addition offers the assistance of seasoned crypto-ransomware recovery professionals with the skills and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the keys to decipher all your data. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to re-install the critical elements of your IT environment. Without the availability of complete data backups, this calls for a broad range of skill sets, professional project management, and the capability to work non-stop until the recovery project is complete.
For decades, Progent has provided expert IT services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the ability to rapidly understand necessary systems and re-organize the remaining components of your computer network environment after a ransomware attack and configure them into an operational network.
Progent's recovery group deploys best of breed project management applications to orchestrate the complicated restoration process. Progent understands the urgency of working quickly and in unison with a customerís management and Information Technology team members to assign priority to tasks and to get essential applications back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Response
A client contacted Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, possibly adopting techniques leaked from the United States NSA organization. Ryuk targets specific companies with little room for operational disruption and is one of the most profitable incarnations of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I cannot speak enough about the care Progent provided us during the most fearful time of (our) businesses survival. We may have had to pay the Hackers if it wasnít for the confidence the Progent group provided us. The fact that you could get our e-mail and critical servers back quicker than a week was earth shattering. Every single expert I interacted with or texted at Progent was totally committed on getting us restored and was working day and night to bail us out."
Progent worked together with the customer to quickly determine and prioritize the most important applications that needed to be restored in order to restart company functions:
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the work of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the client's financials and MRP software leveraged SQL Server, which needs Windows AD for security authorization to the database.
- Active Directory (AD)
- Electronic Mail
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed setup and storage recovery on key servers. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on various desktop computers in order to recover mail information. A recent off-line backup of the client's financials/ERP software made them able to recover these required programs back servicing users. Although significant work was left to recover totally from the Ryuk attack, the most important services were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."
Throughout the next month critical milestones in the restoration process were completed in close cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100% operational.
- A new Palo Alto 850 firewall was set up and programmed.
- 90% of the user desktops were back into operation.
"So much of what occurred that first week is nearly entirely a fog for me, but we will not forget the care each and every one of your team accomplished to give us our company back. Iíve utilized Progent for at least 10 years, possibly more, and every time Progent has come through and delivered. This event was a Herculean accomplishment."
A probable business-killing catastrophe was avoided due to results-oriented professionals, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack described here would have been blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well thought out security procedures for data protection and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we got past the first week. All of you did an amazing effort, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist