Ransomware : Your Feared IT Disaster
Ransomware has become a too-frequent cyberplague that represents an existential danger for organizations poorly prepared for an assault. Different versions of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict destruction. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, along with more as yet unnamed newcomers, not only encrypt online data but also infect all configured system backups. Information synched to cloud environments can also be ransomed. In a poorly designed environment, this can render any restoration impossible and effectively sets the network back to zero.
Restoring services and information following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop the spread and clear the ransomware and to resume mission-critical activity. Because crypto-ransomware requires time to replicate, penetrations are usually sprung during weekends and nights, when attacks typically take more time to uncover. This compounds the difficulty of rapidly marshalling and organizing a qualified mitigation team.
Progent offers a variety of help services for protecting Belo Horizonte enterprises from crypto-ransomware events. Among these are staff training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with machine learning technology to automatically identify and extinguish zero-day cyber threats. Progent also offers the assistance of seasoned ransomware recovery engineers with the track record and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to decrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The other path is to setup from scratch the critical components of your Information Technology environment. Absent access to complete data backups, this calls for a wide range of IT skills, professional team management, and the ability to work continuously until the recovery project is finished.
For two decades, Progent has offered expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise gives Progent the capability to rapidly determine important systems and integrate the surviving parts of your computer network system following a ransomware attack and configure them into a functioning system.
Progent's security team of experts utilizes state-of-the-art project management systems to coordinate the complicated recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key systems back online as fast as possible.
Customer Case Study: A Successful Ransomware Incident Response
A customer escalated to Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific organizations with little room for disruption and is one of the most lucrative instances of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.
"I canít speak enough in regards to the help Progent gave us during the most stressful time of (our) businesses life. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and essential applications back quicker than 1 week was amazing. Every single expert I got help from or communicated with at Progent was urgently focused on getting my company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly understand and assign priority to the key areas that needed to be restored to make it possible to resume business operations:
To get going, Progent followed AV/Malware Processes event mitigation best practices by stopping the spread and removing active viruses. Progent then started the task of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the businessesí financials and MRP software leveraged SQL Server, which depends on Active Directory for security authorization to the data.
- Windows Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery of mission critical servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff PCs and laptops to recover email information. A recent off-line backup of the client's accounting/ERP systems made them able to restore these essential applications back available to users. Although major work still had to be done to recover totally from the Ryuk damage, core services were recovered rapidly:
"For the most part, the production line operation never missed a beat and we made all customer sales."
Throughout the following month critical milestones in the recovery process were achieved in close collaboration between Progent engineers and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were completely functional.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user workstations were being used by staff.
"So much of what was accomplished in the initial days is mostly a blur for me, but I will not soon forget the care each and every one of you accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."
A potential business extinction catastrophe was evaded through the efforts of dedicated experts, a broad range of IT skills, and tight collaboration. Although in post mortem the ransomware virus penetration described here should have been disabled with up-to-date cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed security procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for allowing me to get rested after we made it over the first week. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist