Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional unnamed malware, not only do encryption of online files but also infiltrate many available system backup. Files synched to cloud environments can also be corrupted. In a poorly designed system, this can render automated recovery impossible and effectively sets the network back to square one.
Recovering programs and information after a ransomware event becomes a race against time as the victim fights to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware takes time to move laterally, penetrations are often launched during nights and weekends, when successful penetrations may take more time to discover. This compounds the difficulty of promptly assembling and orchestrating a capable mitigation team.
Progent offers an assortment of services for protecting Broomfield businesses from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with artificial intelligence technology to intelligently discover and suppress new threats. Progent also provides the assistance of seasoned ransomware recovery consultants with the skills and perseverance to re-deploy a breached network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decipher any of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The alternative is to piece back together the essential components of your Information Technology environment. Absent the availability of essential data backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the task is over.
For twenty years, Progent has offered expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably identify critical systems and consolidate the surviving pieces of your Information Technology environment following a ransomware attack and configure them into an operational system.
Progent's ransomware team has state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting rapidly and together with a client's management and Information Technology staff to assign priority to tasks and to get critical systems back on line as fast as humanly possible.
Client Case Study: A Successful Ransomware Virus Response
A client engaged Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk targets specific companies with little tolerance for disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has about 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than $200,000) and hoping for good luck, but in the end utilized Progent.
"I cannot thank you enough in regards to the expertise Progent provided us during the most fearful time of (our) businesses existence. We had little choice but to pay the cyber criminals except for the confidence the Progent group afforded us. That you were able to get our e-mail and important applications back faster than 1 week was something I thought impossible. Each person I worked with or texted at Progent was totally committed on getting my company operational and was working 24/7 on our behalf."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the key systems that needed to be recovered in order to continue departmental functions:
To start, Progent followed ransomware penetration mitigation best practices by stopping the spread and disinfecting systems. Progent then initiated the task of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Active Directory, and the businessesí MRP applications leveraged SQL Server, which needs Active Directory services for access to the data.
- Active Directory
In less than 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on critical servers. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Outlook Off-Line Folder Files) on team desktop computers to recover mail data. A not too old offline backup of the businesses financials/MRP software made it possible to restore these vital applications back available to users. Although a lot of work still had to be done to recover fully from the Ryuk event, the most important systems were restored quickly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."
During the following month critical milestones in the restoration process were accomplished through tight collaboration between Progent team members and the client:
- Self-hosted web sites were brought back up without losing any data.
- The MailStore Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were completely functional.
- A new Palo Alto 850 firewall was brought on-line.
- 90% of the desktops and laptops were operational.
"So much of what was accomplished in the initial days is nearly entirely a blur for me, but we will not forget the care each and every one of your team accomplished to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."
A possible business extinction disaster was avoided with top-tier experts, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here could have been disabled with current security technology solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out incident response procedures for information protection and applying software patches, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for letting me get some sleep after we got past the initial push. All of you did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist