Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses unprepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with daily unnamed viruses, not only encrypt online data but also infiltrate all configured system backups. Data replicated to cloud environments can also be corrupted. In a poorly designed environment, it can make automated restoration useless and effectively knocks the datacenter back to zero.
Getting back programs and information following a crypto-ransomware attack becomes a race against time as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched at night, when attacks typically take longer to recognize. This compounds the difficulty of rapidly assembling and orchestrating a capable response team.
Progent provides a variety of solutions for protecting Buffalo enterprises from ransomware penetrations. Among these are team member training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based threat protection to discover and disable zero-day malware attacks. Progent in addition can provide the services of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as urgently as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to unencrypt all your files. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to setup from scratch the mission-critical components of your IT environment. Absent the availability of complete information backups, this calls for a wide complement of IT skills, top notch team management, and the willingness to work continuously until the task is finished.
For twenty years, Progent has made available professional Information Technology services for companies across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the capability to efficiently ascertain critical systems and integrate the remaining components of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.
Progent's security team of experts has powerful project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and in concert with a customer's management and IT resources to prioritize tasks and to get the most important systems back on-line as fast as possible.
Customer Story: A Successful Ransomware Attack Restoration
A small business contacted Progent after their company was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk targets specific organizations with limited room for disruption and is one of the most lucrative incarnations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately reached out to Progent.
"I can't thank you enough in regards to the help Progent gave us throughout the most critical time of (our) businesses survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key servers back on-line in less than seven days was amazing. Each staff member I spoke to or texted at Progent was absolutely committed on getting us restored and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly get our arms around and prioritize the mission critical systems that had to be addressed in order to restart business functions:
To start, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then started the steps of rebuilding Microsoft AD, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the businesses' MRP software leveraged Microsoft SQL, which requires Active Directory services for authentication to the data.
- Windows Active Directory
- Microsoft Exchange
- MRP System
In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then performed reinstallations and storage recovery on critical servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Offline Data Files) on various workstations in order to recover email data. A recent off-line backup of the client's accounting/MRP systems made it possible to recover these essential services back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk damage, critical systems were restored quickly:
"For the most part, the production operation never missed a beat and we made all customer shipments."
Over the following couple of weeks important milestones in the restoration project were made in tight collaboration between Progent team members and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Exchange Server exceeding four million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- Most of the user workstations were operational.
"Much of what was accomplished during the initial response is nearly entirely a haze for me, but my team will not forget the countless hours each and every one of you put in to give us our company back. I've trusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This time was no exception but maybe more Herculean."
A potential enterprise-killing catastrophe was dodged with dedicated experts, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here should have been identified and prevented with current security systems and security best practices, user and IT administrator education, and well thought out incident response procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of experts has proven experience in ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for making it so I could get rested after we made it past the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Buffalo
For ransomware cleanup expertise in the Buffalo area, phone Progent at 800-462-8800 or see Contact Progent.