Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with frequent as yet unnamed newcomers, not only do encryption of online data files but also infiltrate all available system protection mechanisms. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable system, this can render any recovery impossible and effectively sets the network back to square one.
Getting back on-line applications and information after a ransomware attack becomes a race against the clock as the targeted business fights to stop the spread and eradicate the ransomware and to resume mission-critical activity. Due to the fact that ransomware takes time to replicate, attacks are often launched on weekends, when successful penetrations typically take longer to notice. This multiplies the difficulty of quickly mobilizing and coordinating a qualified response team.
Progent has a variety of support services for protecting Birmingham businesses from crypto-ransomware events. These include staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to detect and quarantine zero-day malware assaults. Progent also can provide the services of seasoned crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to decipher any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to setup from scratch the key elements of your Information Technology environment. Without access to full system backups, this requires a wide range of skills, professional team management, and the capability to work non-stop until the task is finished.
For twenty years, Progent has offered certified expert Information Technology services for companies across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably understand necessary systems and consolidate the remaining pieces of your IT system following a ransomware penetration and configure them into an operational network.
Progent's ransomware team has best of breed project management applications to coordinate the complex recovery process. Progent understands the importance of acting swiftly and together with a client's management and Information Technology staff to assign priority to tasks and to put critical services back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A business contacted Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state sponsored hackers, possibly using approaches exposed from America's National Security Agency. Ryuk seeks specific companies with little room for operational disruption and is one of the most profitable examples of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and praying for the best, but ultimately called Progent.
"I cannot say enough about the support Progent gave us during the most stressful period of (our) company's life. We may have had to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent group gave us. That you could get our e-mail and production servers back into operation sooner than one week was something I thought impossible. Each expert I spoke to or communicated with at Progent was amazingly focused on getting us working again and was working day and night on our behalf."
Progent worked together with the client to rapidly identify and assign priority to the mission critical systems that needed to be addressed to make it possible to resume business functions:
To get going, Progent adhered to AV/Malware Processes penetration response industry best practices by isolating and clearing up compromised systems. Progent then initiated the steps of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer's financials and MRP applications used SQL Server, which needs Active Directory services for authentication to the databases.
- Active Directory (AD)
- Exchange Server
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery of needed applications. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops to recover email messages. A not too old off-line backup of the customer's accounting/ERP software made it possible to return these required services back online for users. Although significant work was left to recover fully from the Ryuk damage, the most important systems were returned to operations quickly:
"For the most part, the production operation was never shut down and we made all customer orders."
Throughout the next month critical milestones in the recovery project were completed through tight cooperation between Progent team members and the client:
- In-house web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the desktops and laptops were back into operation.
"A huge amount of what transpired that first week is nearly entirely a haze for me, but our team will not soon forget the commitment each and every one of the team put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This situation was a Herculean accomplishment."
A potential business catastrophe was avoided due to hard-working professionals, a wide range of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware penetration described here should have been disabled with modern cyber security technology and recognized best practices, user training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we got over the most critical parts. All of you did an incredible effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Birmingham
For ransomware system restoration consulting services in the Birmingham area, phone Progent at 800-462-8800 or visit Contact Progent.