Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, plus more unnamed viruses, not only do encryption of online data files but also infiltrate most accessible system backups. Files synched to the cloud can also be ransomed. In a vulnerable environment, it can make any restore operations impossible and basically sets the network back to square one.
Getting back on-line services and information following a ransomware attack becomes a race against the clock as the victim tries its best to contain and eradicate the ransomware and to resume mission-critical activity. Because ransomware takes time to move laterally, penetrations are frequently launched on weekends, when successful attacks tend to take longer to identify. This compounds the difficulty of quickly mobilizing and orchestrating a capable mitigation team.
Progent makes available a range of services for protecting Aurora organizations from ransomware events. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI capabilities to quickly discover and disable new threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the talent and perseverance to restore a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to decipher any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the key components of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of skill sets, professional team management, and the capability to work non-stop until the task is complete.
For two decades, Progent has offered professional Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably understand critical systems and organize the surviving components of your computer network environment following a ransomware penetration and configure them into a functioning network.
Progent's recovery group deploys state-of-the-art project management tools to orchestrate the complex restoration process. Progent appreciates the importance of working swiftly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important systems back online as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Virus Restoration
A business hired Progent after their network was taken over by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean government sponsored cybercriminals, possibly adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is one of the most profitable iterations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and hoping for good luck, but ultimately brought in Progent.
"I cannot thank you enough about the care Progent provided us during the most stressful period of (our) companyís existence. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent team provided us. That you could get our messaging and critical servers back in less than seven days was incredible. Every single person I talked with or communicated with at Progent was laser focused on getting us back on-line and was working day and night on our behalf."
Progent worked hand in hand the customer to quickly identify and assign priority to the essential elements that had to be addressed in order to resume company operations:
To start, Progent followed Anti-virus event response best practices by stopping lateral movement and disinfecting systems. Progent then initiated the work of recovering Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businessesí financials and MRP software used Microsoft SQL, which needs Active Directory services for access to the databases.
- Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on needed systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on team PCs and laptops in order to recover mail messages. A not too old off-line backup of the client's accounting/ERP software made it possible to restore these vital services back online for users. Although major work needed to be completed to recover totally from the Ryuk attack, essential systems were restored rapidly:
"For the most part, the production operation ran fairly normal throughout and we did not miss any customer sales."
Throughout the following couple of weeks critical milestones in the restoration process were completed in close cooperation between Progent consultants and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully recovered.
- A new Palo Alto Networks 850 firewall was brought online.
- 90% of the user workstations were operational.
"A huge amount of what transpired in the initial days is nearly entirely a haze for me, but we will not soon forget the countless hours each of your team accomplished to help get our company back. I have been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This situation was the most impressive ever."
A possible company-ending disaster was averted by top-tier professionals, a wide range of knowledge, and tight collaboration. Although in retrospect the ransomware incident described here could have been identified and blocked with up-to-date security solutions and best practices, staff education, and well thought out security procedures for backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of experts has proven experience in ransomware virus defense, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for making it so I could get rested after we got through the most critical parts. All of you did an impressive effort, and if any of your team is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist