Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential danger for organizations vulnerable to an attack. Different iterations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as more as yet unnamed malware, not only encrypt online files but also infect many available system backups. Files replicated to cloud environments can also be corrupted. In a poorly designed data protection solution, this can make automatic restore operations hopeless and effectively sets the datacenter back to zero.
Getting back on-line applications and data after a crypto-ransomware outage becomes a race against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume business-critical activity. Because ransomware takes time to replicate, assaults are usually sprung on weekends and holidays, when successful penetrations are likely to take longer to identify. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent makes available a range of help services for securing Belo Horizonte organizations from ransomware attacks. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to detect and suppress zero-day malware assaults. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and perseverance to restore a compromised environment as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the needed keys to decrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to piece back together the critical parts of your Information Technology environment. Absent access to complete system backups, this requires a broad complement of skill sets, professional project management, and the capability to work 24x7 until the task is completed.
For two decades, Progent has made available expert IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise provides Progent the capability to quickly understand critical systems and integrate the remaining components of your IT environment following a ransomware penetration and configure them into an operational network.
Progent's security team uses state-of-the-art project management systems to coordinate the complex restoration process. Progent knows the importance of working swiftly and in concert with a customer's management and IT team members to assign priority to tasks and to put critical systems back on line as soon as possible.
Customer Case Study: A Successful Ransomware Incident Restoration
A business hired Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (more than $200K) and hoping for the best, but ultimately made the decision to use Progent.
"I cannot say enough about the support Progent provided us during the most fearful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent team gave us. That you were able to get our messaging and key applications back quicker than seven days was incredible. Every single consultant I got help from or communicated with at Progent was totally committed on getting our system up and was working all day and night to bail us out."
Progent worked together with the client to rapidly assess and assign priority to the critical applications that had to be restored to make it possible to restart business operations:
To begin, Progent adhered to Anti-virus penetration response industry best practices by isolating and disinfecting systems. Progent then started the work of restoring Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the client's accounting and MRP software utilized Microsoft SQL Server, which depends on Active Directory services for security authorization to the databases.
- Active Directory
- Microsoft Exchange Server
In less than two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery on the most important applications. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on staff workstations in order to recover mail information. A not too old offline backup of the client's financials/ERP software made it possible to restore these vital applications back online. Although a lot of work was left to recover fully from the Ryuk virus, essential systems were recovered rapidly:
"For the most part, the production manufacturing operation was never shut down and we produced all customer sales."
Throughout the next month important milestones in the restoration project were accomplished through close cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Server exceeding four million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the desktop computers were fully operational.
"A huge amount of what went on that first week is mostly a haze for me, but I will not forget the urgency each of your team put in to help get our business back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This time was a life saver."
A possible business catastrophe was evaded by results-oriented experts, a wide range of knowledge, and close teamwork. Although in post mortem the ransomware virus attack described here could have been stopped with up-to-date cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for backup and proper patching controls, the fact is that state-sponsored hackers from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we got through the first week. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Belo Horizonte
For ransomware system recovery consulting services in the Belo Horizonte area, phone Progent at 800-462-8800 or see Contact Progent.