Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict destruction. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with more unnamed viruses, not only do encryption of on-line files but also infect many configured system backups. Data synched to cloud environments can also be corrupted. In a poorly architected system, this can render automated recovery hopeless and basically sets the entire system back to square one.
Getting back on-line applications and information following a ransomware attack becomes a sprint against time as the victim tries its best to contain and clear the ransomware and to restore enterprise-critical activity. Because ransomware takes time to move laterally, attacks are usually launched on weekends and holidays, when successful attacks may take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.
Progent has an assortment of support services for securing Charleston businesses from ransomware penetrations. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities to intelligently identify and suppress zero-day cyber attacks. Progent also can provide the services of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to setup from scratch the key parts of your IT environment. Absent the availability of complete system backups, this calls for a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the job is completed.
For twenty years, Progent has provided professional IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience provides Progent the capability to efficiently identify important systems and organize the surviving components of your Information Technology environment after a ransomware event and configure them into an operational network.
Progent's recovery group uses top notch project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to put key applications back on line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Response
A customer contacted Progent after their network was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting approaches exposed from America’s NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most profitable versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago with about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200K) and hoping for the best, but ultimately brought in Progent.
Progent worked together with the customer to quickly understand and assign priority to the critical applications that had to be restored in order to continue company operations:
In less than two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then performed reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Folder Files) on staff desktop computers to recover mail messages. A not too old offline backup of the client's manufacturing software made it possible to recover these vital services back online for users. Although significant work needed to be completed to recover completely from the Ryuk virus, essential services were restored quickly:
During the next couple of weeks key milestones in the recovery process were accomplished through close collaboration between Progent engineers and the client:
Conclusion
A potential business-ending catastrophe was dodged due to dedicated experts, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here could have been shut down with modern cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and file disaster recovery.
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Charleston
For ransomware system restoration expertise in the Charleston metro area, call Progent at