Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with daily unnamed viruses, not only encrypt on-line data but also infiltrate any accessible system backup. Files synchronized to the cloud can also be corrupted. In a poorly architected environment, it can make automated restoration useless and basically sets the entire system back to square one.
Getting back on-line services and information after a ransomware event becomes a sprint against the clock as the victim fights to contain the damage and eradicate the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to spread, assaults are usually sprung during nights and weekends, when penetrations in many cases take longer to discover. This compounds the difficulty of promptly assembling and organizing a qualified mitigation team.
Progent has a range of help services for protecting Beverly Hills enterprises from crypto-ransomware events. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to discover and extinguish day-zero malware attacks. Progent also provides the services of veteran ransomware recovery professionals with the track record and commitment to reconstruct a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The fallback is to piece back together the mission-critical components of your Information Technology environment. Without access to essential system backups, this requires a broad range of IT skills, professional team management, and the willingness to work non-stop until the job is complete.
For decades, Progent has provided expert IT services for companies across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise provides Progent the skills to efficiently understand important systems and re-organize the surviving components of your network environment following a crypto-ransomware penetration and assemble them into an operational system.
Progent's security team deploys best of breed project management applications to coordinate the complicated restoration process. Progent understands the urgency of acting swiftly and together with a client's management and IT resources to assign priority to tasks and to get critical services back on-line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client escalated to Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk goes after specific companies with little or no tolerance for operational disruption and is one of the most profitable instances of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing processes. Most of the client's information backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately called Progent.
"I cannot tell you enough about the expertise Progent provided us throughout the most critical period of (our) company's survival. We may have had to pay the criminal gangs if it wasn't for the confidence the Progent experts provided us. That you were able to get our messaging and essential applications back in less than seven days was earth shattering. Each staff member I got help from or texted at Progent was totally committed on getting our system up and was working at all hours on our behalf."
Progent worked with the customer to rapidly get our arms around and prioritize the essential applications that had to be restored to make it possible to continue company functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and performing virus removal steps. Progent then began the process of rebuilding Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the client's accounting and MRP system used SQL Server, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on needed systems. All Exchange ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Folder Files) on various PCs to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to restore these required applications back online. Although a lot of work needed to be completed to recover totally from the Ryuk damage, essential systems were returned to operations quickly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer sales."
During the following couple of weeks critical milestones in the recovery process were made through close cooperation between Progent engineers and the client:
- In-house web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% restored.
- A new Palo Alto Networks 850 security appliance was installed.
- Most of the user desktops were being used by staff.
"A huge amount of what happened those first few days is mostly a blur for me, but our team will not soon forget the countless hours each of your team put in to give us our company back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A probable business-ending disaster was dodged due to top-tier professionals, a broad spectrum of technical expertise, and close collaboration. Although in hindsight the ransomware attack detailed here should have been stopped with modern cyber security technology solutions and best practices, staff education, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we made it over the most critical parts. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Beverly Hills
For ransomware recovery expertise in the Beverly Hills area, phone Progent at 800-462-8800 or see Contact Progent.