Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses of all sizes unprepared for an attack. Different versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with additional unnamed viruses, not only encrypt online data but also infect any accessible system restores and backups. Data synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render automated restoration impossible and basically knocks the datacenter back to zero.
Recovering programs and information after a ransomware intrusion becomes a sprint against the clock as the victim fights to contain the damage and clear the virus and to restore business-critical operations. Because ransomware needs time to spread, assaults are often launched at night, when attacks tend to take more time to detect. This multiplies the difficulty of rapidly mobilizing and organizing a qualified response team.
Progent offers a range of support services for securing Buffalo organizations from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to discover and suppress day-zero modern malware attacks. Progent in addition provides the assistance of expert crypto-ransomware recovery engineers with the skills and commitment to rebuild a compromised network as soon as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the needed keys to unencrypt any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to re-install the essential parts of your Information Technology environment. Absent access to essential data backups, this calls for a wide range of skill sets, professional team management, and the capability to work non-stop until the task is over.
For decades, Progent has made available certified expert Information Technology services for companies across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably determine necessary systems and organize the remaining components of your IT environment following a ransomware penetration and configure them into a functioning network.
Progent's security group utilizes top notch project management tools to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology resources to prioritize tasks and to get the most important applications back on-line as fast as humanly possible.
Client Story: A Successful Crypto-Ransomware Incident Response
A small business contacted Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored criminal gangs, possibly adopting approaches leaked from the United States NSA organization. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is one of the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the attack and were encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end made the decision to use Progent.
"I can't thank you enough about the support Progent provided us throughout the most stressful time of (our) businesses existence. We may have had to pay the Hackers if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and critical servers back sooner than one week was something I thought impossible. Every single expert I worked with or messaged at Progent was laser focused on getting us back online and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly understand and prioritize the key systems that needed to be addressed to make it possible to restart business functions:
To begin, Progent followed AV/Malware Processes incident response best practices by halting lateral movement and clearing up compromised systems. Progent then started the work of rebuilding Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the client's financials and MRP software utilized Microsoft SQL Server, which requires Windows AD for authentication to the information.
- Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then charged ahead with setup and storage recovery of needed servers. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on user desktop computers and laptops to recover mail data. A not too old offline backup of the customer's financials/ERP systems made them able to recover these required services back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk attack, core services were recovered rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer sales."
During the next month important milestones in the recovery project were made through tight collaboration between Progent engineers and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Server containing more than four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 firewall was installed.
- 90% of the desktop computers were operational.
"Much of what went on in the initial days is nearly entirely a blur for me, but my team will not soon forget the dedication all of the team accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This situation was no exception but maybe more Herculean."
A possible business-killing disaster was averted through the efforts of top-tier experts, a broad array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware penetration described here would have been identified and stopped with modern security technology and recognized best practices, user and IT administrator education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for making it so I could get some sleep after we got past the initial push. All of you did an incredible effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Buffalo
For ransomware recovery consulting services in the Buffalo area, phone Progent at 800-462-8800 or see Contact Progent.