Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as more as yet unnamed malware, not only encrypt on-line information but also infect many configured system protection mechanisms. Files replicated to cloud environments can also be corrupted. In a poorly designed environment, this can render automated recovery useless and basically knocks the datacenter back to zero.
Getting back on-line programs and information following a ransomware outage becomes a race against time as the targeted organization struggles to contain and clear the virus and to restore business-critical activity. Due to the fact that ransomware requires time to spread, assaults are frequently launched during nights and weekends, when successful penetrations in many cases take longer to uncover. This multiplies the difficulty of quickly mobilizing and organizing a qualified mitigation team.
Progent makes available an assortment of services for securing Chesapeake businesses from ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning technology to intelligently discover and suppress new cyber attacks. Progent in addition offers the services of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a crypto-ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the codes to decipher any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The other path is to re-install the vital elements of your IT environment. Absent access to essential information backups, this calls for a broad range of skill sets, well-coordinated team management, and the willingness to work continuously until the task is over.
For two decades, Progent has made available certified expert Information Technology services for businesses across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise gives Progent the ability to rapidly understand important systems and re-organize the remaining pieces of your IT environment after a ransomware attack and assemble them into an operational system.
Progent's ransomware group uses powerful project management applications to orchestrate the complex recovery process. Progent understands the importance of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential systems back online as soon as possible.
Client Case Study: A Successful Ransomware Virus Response
A small business sought out Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored hackers, suspected of using algorithms exposed from Americaís NSA organization. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is among the most profitable iterations of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately reached out to Progent.
"I canít say enough about the care Progent provided us throughout the most critical time of (our) companyís existence. We had little choice but to pay the cybercriminals if it wasnít for the confidence the Progent team afforded us. That you were able to get our e-mail system and production servers back on-line sooner than 1 week was amazing. Every single expert I talked with or texted at Progent was urgently focused on getting our company operational and was working all day and night on our behalf."
Progent worked hand in hand the client to quickly determine and prioritize the mission critical elements that had to be addressed in order to continue business operations:
To start, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and cleaning systems of viruses. Progent then began the steps of restoring Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without AD, and the customerís accounting and MRP applications used SQL Server, which depends on Active Directory services for security authorization to the database.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then accomplished rebuilding and storage recovery on key systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Data Files) on team PCs in order to recover email messages. A not too old offline backup of the client's accounting/MRP software made it possible to restore these required programs back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, core systems were restored rapidly:
"For the most part, the assembly line operation never missed a beat and we delivered all customer orders."
Over the next month key milestones in the recovery project were achieved in tight collaboration between Progent team members and the client:
- In-house web applications were returned to operation without losing any information.
- The MailStore Server with over four million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% operational.
- A new Palo Alto 850 firewall was deployed.
- Most of the desktop computers were being used by staff.
"A lot of what transpired those first few days is nearly entirely a blur for me, but I will not soon forget the care each of the team put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was a stunning achievement."
A probable company-ending disaster was dodged through the efforts of dedicated experts, a broad array of knowledge, and tight teamwork. Although in retrospect the ransomware incident described here would have been disabled with advanced cyber security systems and best practices, user training, and properly executed incident response procedures for information backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get rested after we got past the initial fire. Everyone did an incredible job, and if any of your team is around the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist