Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with additional as yet unnamed malware, not only encrypt on-line data but also infiltrate many available system backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can render automated restoration useless and effectively sets the datacenter back to zero.
Recovering applications and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to contain and clear the virus and to resume mission-critical activity. Since ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when penetrations may take longer to recognize. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.
Progent makes available an assortment of solutions for protecting Bristol businesses from ransomware events. These include team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat protection to identify and disable zero-day malware assaults. Progent also offers the services of veteran ransomware recovery consultants with the track record and perseverance to rebuild a compromised system as soon as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed keys to decrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to re-install the critical elements of your IT environment. Without the availability of essential system backups, this requires a broad range of skills, well-coordinated project management, and the capability to work non-stop until the recovery project is finished.
For two decades, Progent has provided professional IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably identify important systems and integrate the remaining pieces of your IT system following a ransomware attack and assemble them into an operational system.
Progent's recovery group deploys state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and together with a customer's management and Information Technology team members to prioritize tasks and to get critical services back on-line as soon as possible.
Business Case Study: A Successful Ransomware Incident Recovery
A client escalated to Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored hackers, suspected of adopting strategies exposed from America's National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is one of the most profitable instances of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago with around 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but in the end made the decision to use Progent.
"I can't say enough in regards to the help Progent gave us throughout the most stressful period of (our) businesses existence. We most likely would have paid the Hackers if not for the confidence the Progent team provided us. That you were able to get our e-mail system and critical applications back into operation in less than 1 week was amazing. Every single staff member I interacted with or e-mailed at Progent was laser focused on getting us working again and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly identify and prioritize the essential elements that had to be addressed in order to resume departmental operations:
To start, Progent followed ransomware incident response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the process of bringing back online Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the client's MRP system leveraged Microsoft SQL, which depends on Active Directory for authentication to the data.
- Active Directory (AD)
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed setup and storage recovery of essential systems. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Email Off-Line Folder Files) on staff PCs and laptops to recover email data. A recent off-line backup of the client's financials/MRP software made them able to recover these essential applications back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical systems were returned to operations rapidly:
"For the most part, the assembly line operation did not miss a beat and we produced all customer deliverables."
Throughout the following couple of weeks important milestones in the restoration project were made through close collaboration between Progent engineers and the client:
- Internal web sites were restored without losing any data.
- The MailStore Server with over 4 million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user PCs were fully operational.
"So much of what was accomplished those first few days is nearly entirely a blur for me, but our team will not forget the dedication each and every one of your team put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a Herculean accomplishment."
A probable business-killing disaster was evaded by results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware penetration detailed here could have been identified and prevented with current cyber security technology and security best practices, team education, and well thought out security procedures for data backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thank you for making it so I could get some sleep after we got over the most critical parts. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Bristol
For ransomware system restoration services in the Bristol metro area, call Progent at 800-462-8800 or go to Contact Progent.