Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an enterprise-level danger for organizations vulnerable to an attack. Versions of crypto-ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict harm. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with additional unnamed newcomers, not only do encryption of online critical data but also infiltrate many accessible system backup. Files synchronized to the cloud can also be ransomed. In a poorly designed system, it can render any restoration impossible and basically sets the datacenter back to square one.
Restoring services and information after a ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to spread, penetrations are usually launched on weekends and holidays, when attacks tend to take longer to detect. This compounds the difficulty of quickly mobilizing and orchestrating an experienced response team.
Progent offers a variety of solutions for securing Bristol enterprises from ransomware attacks. These include team member training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to detect and suppress day-zero malware assaults. Progent in addition provides the assistance of expert ransomware recovery consultants with the skills and commitment to reconstruct a compromised system as rapidly as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to piece back together the vital parts of your Information Technology environment. Absent access to essential system backups, this requires a wide complement of skill sets, well-coordinated team management, and the willingness to work 24x7 until the task is completed.
For twenty years, Progent has offered professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to efficiently ascertain important systems and consolidate the remaining components of your IT system following a ransomware event and rebuild them into an operational network.
Progent's recovery team deploys state-of-the-art project management applications to orchestrate the complex recovery process. Progent understands the urgency of acting quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to put critical applications back online as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Penetration Restoration
A small business hired Progent after their organization was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state criminal gangs, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little room for disruption and is among the most lucrative incarnations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but ultimately brought in Progent.
"I cannot tell you enough about the support Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and key applications back on-line sooner than 1 week was amazing. Every single person I talked with or messaged at Progent was totally committed on getting us back online and was working 24 by 7 on our behalf."
Progent worked with the client to quickly determine and prioritize the mission critical systems that had to be restored in order to restart business operations:
To start, Progent adhered to Anti-virus penetration mitigation best practices by isolating and performing virus removal steps. Progent then began the process of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which requires Active Directory services for security authorization to the data.
- Active Directory (AD)
- Microsoft Exchange Email
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then charged ahead with setup and storage recovery of essential applications. All Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Offline Data Files) on user workstations and laptops to recover mail data. A recent offline backup of the client's accounting/MRP systems made it possible to restore these required applications back on-line. Although a lot of work was left to recover completely from the Ryuk attack, the most important systems were returned to operations rapidly:
"For the most part, the production line operation showed little impact and we produced all customer shipments."
During the next month important milestones in the restoration process were completed through close collaboration between Progent engineers and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100 percent functional.
- A new Palo Alto 850 firewall was deployed.
- 90% of the user PCs were fully operational.
"So much of what went on in the initial days is nearly entirely a haze for me, but we will not soon forget the countless hours each of your team accomplished to give us our company back. I've trusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A probable business-ending disaster was evaded by hard-working experts, a wide range of subject matter expertise, and tight collaboration. Although in retrospect the ransomware attack detailed here would have been prevented with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, team education, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thanks very much for making it so I could get rested after we made it over the initial fire. All of you did an incredible effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Bristol
For ransomware cleanup expertise in the Bristol area, phone Progent at 800-462-8800 or go to Contact Progent.