Ransomware : Your Feared Information Technology Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses vulnerable to an attack. Versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more unnamed viruses, not only do encryption of online data but also infect all available system protection mechanisms. Information synched to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automated restore operations impossible and effectively sets the entire system back to zero.
Recovering programs and data after a crypto-ransomware attack becomes a race against time as the targeted business tries its best to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are usually sprung on weekends and holidays, when successful attacks may take longer to recognize. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.
Progent has a range of help services for securing Clearwater organizations from crypto-ransomware penetrations. Among these are team education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with machine learning capabilities to automatically discover and quarantine new cyber threats. Progent also provides the services of veteran ransomware recovery engineers with the skills and commitment to re-deploy a compromised network as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the codes to unencrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to re-install the mission-critical elements of your Information Technology environment. Absent the availability of complete information backups, this requires a wide range of skills, well-coordinated project management, and the capability to work continuously until the task is complete.
For two decades, Progent has offered expert Information Technology services for businesses throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise provides Progent the capability to knowledgably ascertain critical systems and re-organize the remaining parts of your IT environment after a ransomware penetration and assemble them into an operational system.
Progent's ransomware team of experts utilizes powerful project management applications to coordinate the complicated recovery process. Progent understands the importance of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to get critical systems back on-line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A business sought out Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, possibly using approaches leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is one of the most profitable versions of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has about 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I canít speak enough in regards to the care Progent provided us throughout the most critical time of (our) companyís life. We most likely would have paid the cyber criminals except for the confidence the Progent team gave us. That you were able to get our e-mail and critical servers back into operation in less than 1 week was incredible. Every single expert I talked with or communicated with at Progent was totally committed on getting us back online and was working day and night on our behalf."
Progent worked with the client to quickly understand and prioritize the critical areas that had to be recovered to make it possible to resume business functions:
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by isolating and removing active viruses. Progent then initiated the steps of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the client's accounting and MRP system utilized SQL Server, which requires Active Directory services for authentication to the database.
- Windows Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery on critical applications. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Offline Folder Files) on user desktop computers in order to recover email information. A recent offline backup of the businesses manufacturing systems made it possible to return these essential services back online. Although major work remained to recover fully from the Ryuk event, core systems were returned to operations rapidly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer orders."
Over the next few weeks important milestones in the restoration process were achieved in close collaboration between Progent team members and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control modules were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was set up.
- 90% of the desktop computers were fully operational.
"Much of what was accomplished those first few days is mostly a haze for me, but my team will not soon forget the care each and every one of your team put in to help get our company back. Iíve entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
A likely business-killing catastrophe was avoided by top-tier professionals, a broad range of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here should have been identified and stopped with advanced security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it through the first week. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Clearwater
For ransomware system restoration services in the Clearwater metro area, call Progent at 800-462-8800 or visit Contact Progent.