Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as daily as yet unnamed newcomers, not only do encryption of on-line data files but also infect all configured system restores and backups. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, this can make any restore operations impossible and basically knocks the network back to zero.
Recovering programs and information after a crypto-ransomware outage becomes a race against the clock as the victim fights to contain and remove the ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware requires time to replicate, attacks are frequently launched during nights and weekends, when successful attacks tend to take longer to recognize. This compounds the difficulty of quickly mobilizing and orchestrating a capable response team.
Progent has a variety of solutions for protecting Birmingham organizations from crypto-ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security solutions with AI technology to intelligently identify and quarantine day-zero threats. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a breached network as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent the availability of complete information backups, this requires a broad complement of IT skills, professional project management, and the capability to work non-stop until the recovery project is finished.
For decades, Progent has offered professional IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience provides Progent the skills to knowledgably identify important systems and organize the surviving pieces of your IT system following a ransomware attack and configure them into an operational system.
Progent's ransomware group uses best of breed project management systems to coordinate the complex restoration process. Progent knows the urgency of working quickly and together with a customerís management and IT resources to prioritize tasks and to put essential applications back online as fast as possible.
Client Story: A Successful Crypto-Ransomware Penetration Recovery
A customer escalated to Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using techniques exposed from Americaís NSA organization. Ryuk targets specific businesses with little or no room for disruption and is one of the most profitable instances of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and hoping for the best, but in the end reached out to Progent.
"I canít tell you enough about the expertise Progent provided us throughout the most critical period of (our) companyís survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts gave us. That you could get our messaging and critical applications back on-line quicker than 1 week was amazing. Each consultant I got help from or messaged at Progent was totally committed on getting my company operational and was working non-stop to bail us out."
Progent worked with the customer to quickly determine and assign priority to the key systems that had to be recovered in order to resume departmental functions:
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then started the process of restoring Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businessesí financials and MRP system used SQL Server, which requires Windows AD for access to the data.
- Windows Active Directory
In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of needed servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover email information. A not too old off-line backup of the customerís accounting software made them able to return these required programs back on-line. Although major work still had to be done to recover fully from the Ryuk event, critical services were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we produced all customer orders."
Throughout the following couple of weeks important milestones in the recovery project were achieved in close cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
- A new Palo Alto 850 security appliance was installed.
- Most of the user workstations were fully operational.
"A lot of what happened during the initial response is mostly a fog for me, but my management will not forget the commitment each of your team put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a testament to your capabilities."
A likely company-ending disaster was avoided by hard-working professionals, a broad array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident described here should have been identified and prevented with current security technology solutions and recognized best practices, user and IT administrator training, and appropriate incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, remediation, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get rested after we got past the initial push. Everyone did an fabulous effort, and if anyone is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist