Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed malware, not only encrypt online data files but also infiltrate most configured system backup. Information synched to cloud environments can also be encrypted. In a poorly architected system, it can make automatic recovery impossible and basically sets the datacenter back to square one.
Getting back applications and data following a ransomware intrusion becomes a race against time as the targeted organization fights to contain and remove the virus and to resume mission-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are usually sprung at night, when successful attacks typically take longer to uncover. This compounds the difficulty of rapidly mobilizing and coordinating a capable mitigation team.
Progent provides a range of solutions for securing Chatsworth enterprises from crypto-ransomware penetrations. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat defense to detect and extinguish day-zero modern malware attacks. Progent in addition provides the assistance of expert ransomware recovery professionals with the talent and perseverance to restore a breached system as urgently as possible.
Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the codes to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to setup from scratch the essential elements of your IT environment. Without the availability of complete data backups, this calls for a broad range of skill sets, well-coordinated team management, and the ability to work 24x7 until the task is finished.
For decades, Progent has made available professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to quickly understand necessary systems and consolidate the remaining pieces of your IT environment after a crypto-ransomware penetration and assemble them into an operational network.
Progent's recovery team deploys best of breed project management systems to orchestrate the complicated recovery process. Progent understands the urgency of acting swiftly and in concert with a customer's management and IT resources to assign priority to tasks and to get key applications back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk seeks specific businesses with limited tolerance for disruption and is among the most lucrative iterations of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with about 500 employees. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately utilized Progent.
"I can't say enough in regards to the support Progent provided us during the most critical time of (our) businesses life. We most likely would have paid the criminal gangs except for the confidence the Progent experts afforded us. That you were able to get our e-mail and production servers back online quicker than 1 week was amazing. Each person I got help from or communicated with at Progent was totally committed on getting us back online and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the most important services that needed to be recovered in order to resume company operations:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the steps of bringing back online Microsoft AD, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' accounting and MRP applications utilized SQL Server, which depends on Active Directory services for security authorization to the databases.
- Windows Active Directory
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on mission critical systems. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Data Files) on team desktop computers to recover email messages. A not too old off-line backup of the customer's accounting software made it possible to recover these vital programs back servicing users. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, essential systems were recovered quickly:
"For the most part, the production operation survived unscathed and we delivered all customer orders."
Throughout the following couple of weeks critical milestones in the recovery process were made in close cooperation between Progent consultants and the customer:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent operational.
- A new Palo Alto 850 security appliance was set up.
- Ninety percent of the user desktops and notebooks were operational.
"A huge amount of what was accomplished during the initial response is nearly entirely a fog for me, but I will not forget the commitment each and every one of your team accomplished to help get our company back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was a testament to your capabilities."
A probable business-killing catastrophe was averted with top-tier experts, a broad spectrum of knowledge, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been blocked with current security technology solutions and security best practices, user and IT administrator education, and properly executed security procedures for backup and applying software patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we got past the initial fire. Everyone did an amazing job, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Chatsworth
For ransomware system recovery services in the Chatsworth area, phone Progent at 800-462-8800 or visit Contact Progent.