Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an existential threat for businesses poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed newcomers, not only encrypt online data but also infect any accessible system protection. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable system, this can render automated restore operations hopeless and basically sets the network back to zero.
Getting back on-line applications and data following a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain and remove the crypto-ransomware and to restore business-critical operations. Because ransomware takes time to move laterally, attacks are frequently sprung at night, when successful attacks may take more time to identify. This multiplies the difficulty of quickly marshalling and coordinating a capable response team.
Progent makes available a range of solutions for protecting Clearwater enterprises from crypto-ransomware attacks. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to detect and suppress zero-day modern malware attacks. Progent in addition can provide the assistance of experienced crypto-ransomware recovery professionals with the skills and commitment to rebuild a breached system as soon as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the codes to decipher all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to setup from scratch the key parts of your Information Technology environment. Without access to essential data backups, this requires a broad range of IT skills, top notch project management, and the ability to work 24x7 until the recovery project is completed.
For decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise affords Progent the skills to quickly determine important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware penetration and configure them into an operational network.
Progent's security group utilizes best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting swiftly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get key services back on line as fast as possible.
Case Study: A Successful Ransomware Intrusion Recovery
A small business sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, possibly using algorithms exposed from the United States NSA organization. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I can't thank you enough in regards to the help Progent gave us during the most critical time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent experts afforded us. That you could get our messaging and key servers back into operation sooner than 1 week was beyond my wildest dreams. Every single consultant I worked with or texted at Progent was hell bent on getting us operational and was working 24/7 to bail us out."
Progent worked hand in hand the customer to rapidly identify and prioritize the most important applications that had to be recovered to make it possible to restart business functions:
To start, Progent adhered to Anti-virus incident response industry best practices by stopping the spread and disinfecting systems. Progent then initiated the task of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' accounting and MRP software utilized Microsoft SQL Server, which depends on Active Directory services for security authorization to the data.
- Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on essential systems. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover email data. A not too old offline backup of the client's financials/ERP software made them able to recover these vital programs back online. Although major work needed to be completed to recover fully from the Ryuk damage, critical systems were recovered quickly:
"For the most part, the production line operation was never shut down and we produced all customer shipments."
Over the next few weeks critical milestones in the restoration process were achieved through close collaboration between Progent team members and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Server containing more than four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the desktop computers were operational.
"So much of what transpired in the early hours is nearly entirely a blur for me, but we will not soon forget the care all of you accomplished to help get our business back. I've been working together with Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."
A potential business extinction disaster was averted due to top-tier experts, a broad spectrum of subject matter expertise, and close collaboration. Although in hindsight the ransomware attack described here should have been shut down with modern cyber security technology solutions and security best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thank you for allowing me to get rested after we got through the initial fire. All of you did an impressive job, and if anyone that helped is around the Chicago area, dinner is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Clearwater
For ransomware system restoration services in the Clearwater metro area, phone Progent at 800-462-8800 or go to Contact Progent.