Ransomware : Your Worst IT Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses unprepared for an attack. Different versions of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus frequent as yet unnamed newcomers, not only encrypt on-line data but also infiltrate all accessible system restores and backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can make any recovery useless and basically knocks the datacenter back to zero.
Restoring applications and information after a ransomware attack becomes a race against time as the targeted organization struggles to contain the damage and eradicate the crypto-ransomware and to restore mission-critical activity. Because ransomware requires time to move laterally, penetrations are usually sprung at night, when penetrations may take longer to uncover. This compounds the difficulty of quickly marshalling and orchestrating a capable mitigation team.
Progent offers a range of solutions for securing Bellevue businesses from crypto-ransomware penetrations. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's behavior-based threat protection to identify and extinguish zero-day malware attacks. Progent in addition offers the services of veteran ransomware recovery consultants with the track record and commitment to restore a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to unencrypt any of your data. Kaspersky estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the vital components of your Information Technology environment. Without the availability of complete system backups, this requires a broad complement of IT skills, top notch project management, and the ability to work non-stop until the job is done.
For twenty years, Progent has provided certified expert IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably understand critical systems and organize the remaining pieces of your Information Technology system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's security team has powerful project management applications to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in unison with a customer's management and IT team members to assign priority to tasks and to put critical applications back online as fast as possible.
Client Story: A Successful Ransomware Intrusion Recovery
A small business hired Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, possibly adopting techniques leaked from America's NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is among the most lucrative versions of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot say enough in regards to the care Progent gave us during the most critical period of (our) company's survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team provided us. That you were able to get our e-mail and important servers back quicker than seven days was earth shattering. Every single expert I got help from or communicated with at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."
Progent worked with the customer to quickly get our arms around and assign priority to the key applications that had to be restored in order to resume departmental functions:
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then initiated the task of restoring Microsoft AD, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customer's MRP applications leveraged Microsoft SQL, which needs Active Directory for access to the databases.
- Windows Active Directory
- Microsoft Exchange Server
- MRP System
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed setup and hard drive recovery of mission critical systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on user PCs in order to recover email data. A recent offline backup of the businesses financials/ERP software made it possible to return these required applications back online for users. Although major work was left to recover totally from the Ryuk event, essential systems were returned to operations quickly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer deliverables."
Throughout the following few weeks key milestones in the restoration process were made through close collaboration between Progent consultants and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control capabilities were fully restored.
- A new Palo Alto Networks 850 firewall was set up.
- Most of the user desktops and notebooks were being used by staff.
"Much of what transpired during the initial response is nearly entirely a blur for me, but our team will not forget the countless hours each and every one of the team accomplished to help get our company back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was the most impressive ever."
A potential business extinction disaster was dodged with results-oriented experts, a broad array of IT skills, and tight collaboration. Although upon completion of forensics the ransomware penetration described here could have been disabled with up-to-date security solutions and NIST Cybersecurity Framework best practices, staff training, and appropriate security procedures for information protection and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), thanks very much for making it so I could get rested after we made it through the most critical parts. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Bellevue
For ransomware system recovery services in the Bellevue metro area, phone Progent at 800-462-8800 or go to Contact Progent.