Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict destruction. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with more unnamed viruses, not only do encryption of on-line files but also infect many configured system backups. Data synched to cloud environments can also be corrupted. In a poorly architected system, this can render automated recovery hopeless and basically sets the entire system back to square one.
Getting back on-line applications and information following a ransomware attack becomes a sprint against time as the victim tries its best to contain and clear the ransomware and to restore enterprise-critical activity. Because ransomware takes time to move laterally, attacks are usually launched on weekends and holidays, when successful attacks may take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.
Progent has an assortment of support services for securing Charleston businesses from ransomware penetrations. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities to intelligently identify and suppress zero-day cyber attacks. Progent also can provide the services of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to setup from scratch the key parts of your IT environment. Absent the availability of complete system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the job is completed.
For twenty years, Progent has provided professional IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience provides Progent the capability to efficiently identify important systems and organize the surviving components of your Information Technology environment after a ransomware event and configure them into an operational network.
Progent's recovery group uses top notch project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to put key applications back on line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Response
A customer contacted Progent after their network was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from America’s NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200K) and hoping for the best, but ultimately brought in Progent.
"I cannot speak enough in regards to the support Progent gave us during the most fearful time of (our) businesses existence. We most likely would have paid the Hackers if it wasn’t for the confidence the Progent team afforded us. That you were able to get our e-mail and important applications back online quicker than a week was something I thought impossible. Every single expert I worked with or messaged at Progent was absolutely committed on getting our company operational and was working day and night to bail us out."
Progent worked together with the customer to quickly understand and assign priority to the critical applications that had to be restored in order to continue company operations:
To begin, Progent adhered to ransomware event mitigation industry best practices by stopping the spread and removing active viruses. Progent then initiated the task of bringing back online Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the customer’s accounting and MRP software used Microsoft SQL, which requires Windows AD for access to the information.
- Active Directory
- Electronic Messaging
In less than two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then performed reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on staff desktop computers to recover mail messages. A not too old offline backup of the client's manufacturing software made it possible to recover these vital services back online for users. Although significant work needed to be completed to recover completely from the Ryuk virus, essential services were restored quickly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."
During the next couple of weeks key milestones in the recovery process were accomplished through close collaboration between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Server exceeding four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/AR/Inventory Control modules were fully recovered.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user desktops and notebooks were operational.
"A huge amount of what occurred those first few days is nearly entirely a haze for me, but our team will not forget the countless hours each and every one of you accomplished to help get our business back. I’ve been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was a stunning achievement."
A potential business-ending catastrophe was dodged due to dedicated experts, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here could have been shut down with modern cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I’m grateful for making it so I could get some sleep after we got through the initial fire. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Charleston
For ransomware system restoration expertise in the Charleston metro area, call Progent at 800-462-8800 or visit Contact Progent.