Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still cause havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as frequent as yet unnamed malware, not only do encryption of on-line data files but also infiltrate any accessible system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed system, it can render any recovery impossible and basically knocks the network back to square one.
Getting back applications and information following a ransomware intrusion becomes a race against the clock as the targeted business fights to contain and clear the ransomware and to resume mission-critical activity. Since ransomware requires time to spread, attacks are usually launched during weekends and nights, when successful attacks are likely to take more time to identify. This compounds the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.
Progent provides a variety of help services for protecting Barra da Tijuca organizations from ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based threat protection to discover and quarantine day-zero modern malware attacks. Progent in addition provides the assistance of experienced ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decrypt all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Absent the availability of complete information backups, this calls for a wide range of IT skills, well-coordinated project management, and the ability to work continuously until the recovery project is over.
For decades, Progent has provided expert IT services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the skills to rapidly identify important systems and integrate the remaining pieces of your computer network system after a ransomware penetration and rebuild them into an operational system.
Progent's security team has top notch project management systems to coordinate the complex restoration process. Progent understands the urgency of working quickly and together with a client's management and Information Technology staff to assign priority to tasks and to get essential systems back on line as soon as possible.
Business Case Study: A Successful Ransomware Intrusion Restoration
A client contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, possibly using techniques leaked from the U.S. NSA organization. Ryuk seeks specific organizations with limited tolerance for disruption and is among the most profitable incarnations of ransomware viruses. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has around 500 staff members. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's backups had been online at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end engaged Progent.
"I cannot say enough in regards to the care Progent gave us during the most critical time of (our) businesses existence. We most likely would have paid the criminal gangs except for the confidence the Progent team provided us. That you were able to get our e-mail and key servers back in less than 1 week was something I thought impossible. Each staff member I worked with or messaged at Progent was absolutely committed on getting us back on-line and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to rapidly determine and assign priority to the critical applications that needed to be addressed to make it possible to resume company operations:
To get going, Progent followed AV/Malware Processes penetration response best practices by isolating and cleaning up infected systems. Progent then started the steps of restoring Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL, which requires Windows AD for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery of critical servers. All Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Data Files) on team desktop computers and laptops to recover email information. A not too old off-line backup of the customer's accounting/ERP software made it possible to restore these essential programs back online. Although significant work was left to recover completely from the Ryuk attack, core services were recovered rapidly:
"For the most part, the assembly line operation showed little impact and we made all customer deliverables."
Over the next month important milestones in the restoration process were accomplished through close cooperation between Progent engineers and the customer:
- Internal web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully functional.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the user desktops were fully operational.
"So much of what transpired that first week is mostly a fog for me, but we will not soon forget the commitment all of your team accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."
A likely business extinction disaster was evaded by dedicated professionals, a wide spectrum of IT skills, and close teamwork. Although upon completion of forensics the ransomware virus penetration described here should have been blocked with advanced security systems and best practices, team training, and well designed incident response procedures for information protection and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get rested after we made it over the initial push. All of you did an amazing effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Barra da Tijuca
For ransomware cleanup services in the Barra da Tijuca metro area, call Progent at 800-462-8800 or go to Contact Progent.