Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as additional unnamed newcomers, not only do encryption of online data but also infiltrate most configured system restores and backups. Data synched to the cloud can also be ransomed. In a poorly designed system, this can make automated recovery useless and effectively knocks the datacenter back to zero.
Getting back on-line applications and information following a ransomware intrusion becomes a sprint against time as the victim fights to stop the spread and eradicate the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to spread, attacks are usually launched on weekends and holidays, when successful penetrations tend to take more time to notice. This compounds the difficulty of promptly mobilizing and organizing an experienced response team.
Progent provides a range of services for protecting Bellevue businesses from ransomware events. These include team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with machine learning capabilities to intelligently discover and extinguish new cyber threats. Progent in addition can provide the assistance of experienced ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will provide the needed keys to decrypt all your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to re-install the essential components of your IT environment. Absent access to complete system backups, this requires a broad complement of skills, professional project management, and the capability to work non-stop until the task is complete.
For two decades, Progent has provided expert IT services for companies throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise affords Progent the ability to rapidly understand important systems and consolidate the surviving pieces of your IT environment following a ransomware attack and rebuild them into an operational network.
Progent's ransomware team deploys best of breed project management applications to coordinate the sophisticated recovery process. Progent appreciates the importance of working quickly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important systems back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer escalated to Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, possibly using algorithms leaked from the United States NSA organization. Ryuk targets specific businesses with little or no ability to sustain disruption and is one of the most lucrative incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area and has about 500 workers. The Ryuk attack had disabled all essential operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but ultimately engaged Progent.
"I cannot speak enough about the care Progent provided us during the most critical period of (our) businesses life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts gave us. That you were able to get our e-mail and key applications back into operation faster than seven days was earth shattering. Every single expert I spoke to or e-mailed at Progent was laser focused on getting us back on-line and was working all day and night to bail us out."
Progent worked together with the customer to rapidly get our arms around and prioritize the mission critical applications that needed to be restored in order to restart company operations:
To begin, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and performing virus removal steps. Progent then began the process of bringing back online Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without AD, and the businessesí financials and MRP system used Microsoft SQL Server, which needs Active Directory services for authentication to the databases.
- Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on key servers. All Exchange Server schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Data Files) on staff workstations to recover email information. A not too old off-line backup of the customerís accounting software made it possible to return these required applications back on-line. Although significant work was left to recover fully from the Ryuk event, critical systems were returned to operations rapidly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."
Over the next month critical milestones in the recovery process were completed in tight collaboration between Progent engineers and the client:
- In-house web applications were restored with no loss of data.
- The MailStore Exchange Server exceeding four million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user desktops and notebooks were being used by staff.
"A huge amount of what occurred in the early hours is nearly entirely a fog for me, but we will not soon forget the commitment each of the team put in to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This situation was a stunning achievement."
A potential business-ending catastrophe was dodged through the efforts of results-oriented experts, a broad spectrum of technical expertise, and close teamwork. Although in post mortem the ransomware attack described here could have been stopped with current cyber security systems and recognized best practices, user training, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we got over the initial push. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist