Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an existential danger for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional as yet unnamed malware, not only encrypt on-line data but also infect most available system backups. Files synched to cloud environments can also be ransomed. In a poorly architected system, this can make automatic restore operations hopeless and basically knocks the network back to square one.
Retrieving applications and data following a ransomware intrusion becomes a race against the clock as the targeted organization fights to contain and clear the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are often sprung on weekends, when successful attacks in many cases take longer to discover. This multiplies the difficulty of rapidly mobilizing and organizing a qualified response team.
Progent makes available a range of support services for securing Charleston organizations from ransomware events. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to identify and suppress day-zero malware attacks. Progent in addition can provide the assistance of expert crypto-ransomware recovery consultants with the track record and perseverance to restore a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will return the needed keys to unencrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The alternative is to setup from scratch the vital parts of your IT environment. Without access to full system backups, this requires a broad range of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is complete.
For twenty years, Progent has made available certified expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently ascertain necessary systems and re-organize the surviving pieces of your computer network environment following a crypto-ransomware attack and assemble them into an operational network.
Progent's ransomware team uses state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the importance of working quickly and together with a customer's management and IT team members to prioritize tasks and to get critical services back on-line as fast as possible.
Customer Story: A Successful Crypto-Ransomware Attack Response
A client hired Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of adopting approaches leaked from the United States National Security Agency. Ryuk seeks specific businesses with limited ability to sustain disruption and is among the most lucrative incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was evaluating paying the ransom (exceeding $200,000) and hoping for the best, but in the end made the decision to use Progent.
"I cannot say enough in regards to the expertise Progent provided us during the most fearful time of (our) company's survival. We may have had to pay the cyber criminals if not for the confidence the Progent group provided us. That you were able to get our e-mail and key servers back into operation faster than five days was something I thought impossible. Every single expert I got help from or communicated with at Progent was totally committed on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the client to quickly determine and assign priority to the critical elements that had to be recovered in order to resume departmental operations:
To get going, Progent adhered to AV/Malware Processes incident response best practices by stopping the spread and disinfecting systems. Progent then started the work of restoring Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange email will not operate without Active Directory, and the customer's MRP applications used Microsoft SQL Server, which depends on Windows AD for access to the database.
- Microsoft Active Directory
- Electronic Messaging
In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then assisted with rebuilding and hard drive recovery of critical servers. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Off-Line Folder Files) on staff PCs in order to recover mail data. A recent offline backup of the client's accounting/MRP systems made it possible to return these essential applications back servicing users. Although major work was left to recover totally from the Ryuk attack, core services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we made all customer deliverables."
During the following month key milestones in the recovery process were accomplished through close cooperation between Progent consultants and the client:
- In-house web applications were brought back up without losing any information.
- The MailStore Server with over four million historical messages was spun up and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 security appliance was deployed.
- Ninety percent of the user desktops were functioning as before the incident.
"So much of what went on during the initial response is nearly entirely a haze for me, but we will not soon forget the dedication each of the team accomplished to give us our business back. I have trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a Herculean accomplishment."
A possible business-ending disaster was evaded by top-tier experts, a wide spectrum of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware virus penetration detailed here would have been blocked with current security technology solutions and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get some sleep after we made it past the initial fire. Everyone did an impressive job, and if any of your team is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Charleston
For ransomware cleanup services in the Charleston metro area, call Progent at 800-462-8800 or visit Contact Progent.