Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an existential danger for organizations vulnerable to an assault. Different iterations of ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still cause havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as frequent as yet unnamed malware, not only encrypt online data files but also infiltrate all available system backup. Information synchronized to cloud environments can also be rendered useless. In a vulnerable environment, this can render automated recovery impossible and basically sets the entire system back to zero.
Getting back applications and information following a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to contain and remove the crypto-ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are usually sprung during weekends and nights, when penetrations in many cases take longer to recognize. This multiplies the difficulty of rapidly marshalling and organizing a knowledgeable mitigation team.
Progent offers a range of solutions for protecting Aurora organizations from ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based threat defense to detect and extinguish zero-day malware attacks. Progent also provides the assistance of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a breached environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the critical elements of your IT environment. Absent the availability of complete information backups, this requires a wide complement of skills, professional team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has offered professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to quickly determine necessary systems and integrate the surviving parts of your Information Technology environment following a ransomware event and configure them into a functioning network.
Progent's security team deploys best of breed project management systems to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and together with a customer's management and Information Technology staff to assign priority to tasks and to put the most important applications back on-line as soon as humanly possible.
Client Story: A Successful Ransomware Incident Response
A customer sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of adopting algorithms leaked from America's National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is one of the most profitable instances of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk attack had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I can't tell you enough in regards to the support Progent gave us during the most stressful time of (our) company's existence. We had little choice but to pay the Hackers except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and important applications back online in less than five days was earth shattering. Each expert I interacted with or communicated with at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."
Progent worked with the client to quickly understand and prioritize the essential systems that had to be restored in order to resume business operations:
To begin, Progent followed AV/Malware Processes incident response industry best practices by isolating and removing active viruses. Progent then started the steps of bringing back online Microsoft Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the customer's accounting and MRP system used Microsoft SQL, which requires Windows AD for access to the information.
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of key systems. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find local OST data files (Outlook Email Offline Data Files) on user desktop computers in order to recover mail information. A not too old off-line backup of the client's accounting/MRP systems made it possible to restore these essential programs back available to users. Although major work still had to be done to recover completely from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer sales."
During the next couple of weeks key milestones in the restoration process were made through tight cooperation between Progent consultants and the customer:
- Internal web sites were restored without losing any data.
- The MailStore Server exceeding four million archived emails was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were completely restored.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the desktops and laptops were being used by staff.
"Much of what occurred that first week is nearly entirely a fog for me, but my management will not soon forget the commitment all of your team accomplished to help get our business back. I've been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This event was a testament to your capabilities."
A potential business catastrophe was dodged due to results-oriented professionals, a wide array of knowledge, and close collaboration. Although in retrospect the crypto-ransomware virus incident described here would have been disabled with modern cyber security technology and security best practices, user and IT administrator training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thanks very much for allowing me to get rested after we made it over the first week. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Aurora
For ransomware system restoration consulting in the Aurora metro area, phone Progent at 800-462-8800 or see Contact Progent.