Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional unnamed viruses, not only encrypt on-line information but also infiltrate many accessible system restores and backups. Data synchronized to cloud environments can also be corrupted. In a poorly designed system, this can render automatic restore operations useless and basically knocks the entire system back to square one.
Restoring programs and data after a crypto-ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually sprung during weekends and nights, when successful penetrations may take more time to uncover. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable response team.
Progent provides an assortment of solutions for protecting Brooklyn organizations from ransomware events. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology to quickly detect and disable new threats. Progent also offers the services of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that distant criminals will provide the keys to decrypt any or all of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The other path is to piece back together the mission-critical elements of your IT environment. Without access to complete data backups, this calls for a wide complement of IT skills, well-coordinated project management, and the ability to work non-stop until the job is completed.
For two decades, Progent has made available certified expert IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise gives Progent the skills to rapidly ascertain critical systems and integrate the surviving components of your Information Technology system after a ransomware event and assemble them into an operational network.
Progent's ransomware group deploys top notch project management applications to coordinate the complex restoration process. Progent knows the urgency of acting swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put key applications back online as fast as possible.
Customer Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting approaches leaked from the United States National Security Agency. Ryuk goes after specific businesses with little or no tolerance for operational disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the attack and were destroyed. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít tell you enough in regards to the help Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts afforded us. That you could get our e-mail and key applications back on-line faster than a week was beyond my wildest dreams. Each expert I spoke to or texted at Progent was laser focused on getting us working again and was working all day and night on our behalf."
Progent worked together with the customer to quickly determine and prioritize the critical systems that had to be recovered in order to resume departmental operations:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then started the task of bringing back online Windows Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customerís financials and MRP software leveraged Microsoft SQL, which needs Active Directory services for security authorization to the data.
- Active Directory (AD)
- Electronic Messaging
- Accounting and Manufacturing Software
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery on the most important applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Offline Folder Files) on staff PCs and laptops to recover email information. A not too old off-line backup of the customerís accounting systems made them able to recover these essential applications back on-line. Although significant work still had to be done to recover fully from the Ryuk attack, critical systems were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer shipments."
Over the next month critical milestones in the recovery project were made in tight cooperation between Progent engineers and the client:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Exchange Server exceeding four million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100% functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Most of the user workstations were fully operational.
"A huge amount of what happened during the initial response is mostly a haze for me, but my team will not forget the care each and every one of you put in to help get our business back. Iíve utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A possible company-ending catastrophe was averted through the efforts of hard-working professionals, a wide range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware attack described here would have been blocked with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well designed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get rested after we got over the initial push. All of you did an fabulous effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist