Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that presents an enterprise-level threat for organizations poorly prepared for an assault. Versions of ransomware such as Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line data files but also infiltrate many available system protection mechanisms. Files synched to cloud environments can also be ransomed. In a poorly designed environment, it can render any restoration useless and basically knocks the network back to zero.
Getting back applications and data following a ransomware attack becomes a race against the clock as the targeted business fights to stop the spread and clear the ransomware and to restore business-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are frequently sprung during nights and weekends, when successful penetrations in many cases take more time to uncover. This multiplies the difficulty of quickly assembling and coordinating an experienced response team.
Progent offers a variety of solutions for protecting Buffalo enterprises from crypto-ransomware events. These include user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with artificial intelligence capabilities to quickly discover and disable zero-day cyber attacks. Progent also provides the services of expert ransomware recovery professionals with the skills and perseverance to rebuild a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed codes to decipher any of your files. Kaspersky determined that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to re-install the critical elements of your Information Technology environment. Absent the availability of essential information backups, this requires a broad range of skills, well-coordinated project management, and the capability to work 24x7 until the recovery project is completed.
For twenty years, Progent has made available expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise affords Progent the ability to quickly understand critical systems and integrate the remaining components of your IT system following a ransomware attack and configure them into an operational network.
Progent's ransomware team deploys best of breed project management systems to coordinate the complicated restoration process. Progent knows the urgency of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to put critical systems back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly using techniques exposed from Americaís NSA organization. Ryuk seeks specific businesses with little or no tolerance for operational disruption and is one of the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had disabled all business operations and manufacturing processes. The majority of the client's backups had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200,000) and wishfully thinking for good luck, but in the end reached out to Progent.
"I cannot speak enough about the support Progent gave us during the most stressful time of (our) businesses survival. We may have had to pay the criminal gangs except for the confidence the Progent team afforded us. That you could get our e-mail system and critical servers back on-line quicker than 1 week was beyond my wildest dreams. Each person I got help from or texted at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."
Progent worked together with the client to rapidly get our arms around and assign priority to the key applications that had to be addressed to make it possible to restart business operations:
To start, Progent followed AV/Malware Processes incident response best practices by stopping lateral movement and clearing up compromised systems. Progent then started the process of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the client's accounting and MRP system utilized Microsoft SQL, which depends on Active Directory services for access to the databases.
- Active Directory (AD)
In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery on mission critical systems. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Data Files) on staff workstations in order to recover email data. A recent offline backup of the customerís manufacturing software made them able to restore these vital services back on-line. Although a lot of work remained to recover totally from the Ryuk attack, core systems were recovered rapidly:
"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer orders."
Throughout the next couple of weeks key milestones in the recovery project were made through close collaboration between Progent engineers and the client:
- Internal web applications were brought back up with no loss of information.
- The MailStore Server containing more than four million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were completely recovered.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the desktop computers were functioning as before the incident.
"A huge amount of what transpired in the early hours is nearly entirely a fog for me, but my team will not soon forget the commitment all of your team accomplished to give us our business back. Iíve trusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a life saver."
A likely company-ending catastrophe was avoided by results-oriented experts, a broad spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware virus attack described here would have been prevented with up-to-date security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we got over the initial fire. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist