Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as daily as yet unnamed malware, not only do encryption of on-line files but also infiltrate many available system backup. Data synchronized to the cloud can also be corrupted. In a poorly designed environment, it can render any recovery useless and basically sets the network back to zero.
Getting back on-line programs and information following a ransomware attack becomes a race against the clock as the targeted business struggles to contain the damage and clear the crypto-ransomware and to resume business-critical operations. Because ransomware requires time to spread, penetrations are usually launched at night, when successful penetrations tend to take more time to notice. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a variety of help services for protecting Buffalo organizations from crypto-ransomware events. These include staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities to intelligently identify and extinguish new threats. Progent also offers the assistance of veteran ransomware recovery consultants with the skills and perseverance to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Recovery Help
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent the availability of full information backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work continuously until the job is over.
For decades, Progent has provided professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to rapidly ascertain important systems and organize the surviving pieces of your network system after a crypto-ransomware penetration and rebuild them into an operational system.
Progent's ransomware team of experts utilizes state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent understands the importance of acting rapidly and together with a customer's management and IT resources to assign priority to tasks and to put essential applications back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Intrusion Response
A customer sought out Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited room for operational disruption and is among the most profitable incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's backups had been on-line at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.
"I cannot thank you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses existence. We would have paid the cyber criminals if it wasn't for the confidence the Progent experts afforded us. That you were able to get our messaging and production servers back into operation sooner than a week was beyond my wildest dreams. Every single expert I talked with or communicated with at Progent was laser focused on getting my company operational and was working non-stop on our behalf."
Progent worked hand in hand the customer to rapidly understand and prioritize the mission critical elements that had to be recovered to make it possible to resume company functions:
To begin, Progent followed Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the businesses' MRP software leveraged Microsoft SQL Server, which needs Windows AD for access to the information.
- Microsoft Active Directory
Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then assisted with reinstallations and storage recovery of key applications. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Folder Files) on user desktop computers in order to recover mail messages. A not too old offline backup of the client's financials/MRP software made them able to restore these required services back online for users. Although major work was left to recover fully from the Ryuk attack, the most important systems were recovered quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer orders."
Throughout the next month important milestones in the recovery process were completed in close cooperation between Progent consultants and the client:
- Internal web sites were brought back up without losing any information.
- The MailStore Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely operational.
- A new Palo Alto 850 security appliance was brought on-line.
- Nearly all of the desktops and laptops were operational.
"So much of what went on that first week is mostly a blur for me, but my team will not soon forget the urgency each of your team accomplished to give us our company back. I've been working with Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This time was a testament to your capabilities."
A potential business-ending disaster was avoided by hard-working professionals, a wide array of subject matter expertise, and tight teamwork. Although in retrospect the crypto-ransomware virus incident described here should have been blocked with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for information protection and proper patching controls, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we got past the first week. All of you did an incredible job, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Buffalo
For ransomware system restoration consulting services in the Buffalo area, phone Progent at 800-462-8800 or go to Contact Progent.