Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with additional unnamed malware, not only encrypt on-line critical data but also infiltrate all available system backups. Files synchronized to the cloud can also be corrupted. In a poorly designed environment, it can make automatic restore operations useless and basically knocks the entire system back to square one.
Recovering applications and data following a ransomware outage becomes a sprint against time as the victim fights to contain and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware takes time to spread, penetrations are often sprung during weekends and nights, when successful penetrations may take more time to uncover. This multiplies the difficulty of promptly marshalling and organizing a knowledgeable response team.
Progent makes available an assortment of support services for securing Arlington businesses from crypto-ransomware attacks. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat defense to detect and extinguish zero-day modern malware attacks. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the track record and perseverance to rebuild a breached network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to unencrypt all your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The other path is to re-install the mission-critical elements of your Information Technology environment. Without access to complete information backups, this requires a broad range of skill sets, top notch team management, and the ability to work 24x7 until the task is done.
For two decades, Progent has made available certified expert IT services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise provides Progent the ability to efficiently determine important systems and organize the surviving pieces of your IT environment after a crypto-ransomware penetration and rebuild them into an operational network.
Progent's security group utilizes best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put critical applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Penetration Response
A customer engaged Progent after their organization was brought down by the Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state hackers, suspected of using technology leaked from the United States National Security Agency. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most profitable iterations of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200K) and praying for the best, but in the end made the decision to use Progent.
"I cannot tell you enough about the support Progent provided us throughout the most fearful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you were able to get our e-mail and important servers back online quicker than seven days was amazing. Each person I spoke to or communicated with at Progent was hell bent on getting our system up and was working day and night on our behalf."
Progent worked with the customer to rapidly determine and assign priority to the mission critical applications that needed to be recovered in order to continue company operations:
To get going, Progent followed Anti-virus penetration response best practices by isolating and clearing infected systems. Progent then initiated the task of bringing back online Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the customer's accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory for access to the database.
- Active Directory (AD)
- Exchange Server
In less than 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then performed setup and storage recovery on the most important servers. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on various PCs to recover mail data. A recent offline backup of the client's accounting/ERP software made it possible to return these required programs back available to users. Although significant work was left to recover completely from the Ryuk attack, essential systems were returned to operations quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we produced all customer orders."
During the next month critical milestones in the recovery process were made in tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were brought back up without losing any data.
- The MailStore Server containing more than 4 million historical emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent restored.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the desktops and laptops were back into operation.
"Much of what transpired during the initial response is mostly a haze for me, but we will not forget the care all of you accomplished to help get our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a life saver."
A potential business extinction disaster was averted by dedicated professionals, a wide spectrum of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware virus penetration described here would have been identified and prevented with advanced security technology solutions and recognized best practices, user and IT administrator education, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it over the most critical parts. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Arlington
For ransomware recovery consulting in the Arlington metro area, phone Progent at 800-462-8800 or see Contact Progent.