Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with more as yet unnamed newcomers, not only encrypt online data files but also infiltrate many available system restores and backups. Data replicated to the cloud can also be rendered useless. In a vulnerable data protection solution, this can make automated restoration hopeless and basically sets the network back to zero.
Recovering programs and data following a crypto-ransomware event becomes a race against time as the victim struggles to contain the damage and eradicate the ransomware and to restore enterprise-critical operations. Since ransomware needs time to replicate, penetrations are often sprung on weekends and holidays, when successful attacks tend to take more time to discover. This multiplies the difficulty of rapidly marshalling and organizing a capable response team.
Progent provides a range of support services for protecting Cleveland businesses from ransomware penetrations. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence capabilities to rapidly identify and disable zero-day cyber attacks. Progent also offers the assistance of experienced crypto-ransomware recovery professionals with the skills and perseverance to re-deploy a compromised network as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware event, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to unencrypt any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The alternative is to re-install the key elements of your Information Technology environment. Without access to full system backups, this calls for a broad range of skill sets, top notch team management, and the ability to work non-stop until the job is completed.
For decades, Progent has made available certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the skills to quickly determine critical systems and organize the surviving components of your network system after a crypto-ransomware attack and assemble them into a functioning system.
Progent's security team deploys top notch project management systems to coordinate the complicated restoration process. Progent appreciates the urgency of working quickly and in concert with a customerís management and IT staff to assign priority to tasks and to put key services back online as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Virus Response
A business sought out Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most lucrative incarnations of ransomware viruses. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200K) and hoping for good luck, but ultimately utilized Progent.
"I cannot say enough about the help Progent gave us throughout the most critical time of (our) businesses life. We may have had to pay the Hackers if not for the confidence the Progent team provided us. That you were able to get our e-mail and production servers back into operation in less than seven days was beyond my wildest dreams. Each expert I spoke to or messaged at Progent was laser focused on getting our system up and was working all day and night on our behalf."
Progent worked hand in hand the client to rapidly understand and assign priority to the critical elements that had to be restored in order to resume company functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and removing active viruses. Progent then began the task of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL, which depends on Active Directory services for access to the data.
- Microsoft Active Directory
- Microsoft Exchange
Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery on essential systems. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers to recover email data. A recent off-line backup of the businesses accounting/MRP software made them able to return these required applications back servicing users. Although major work still had to be done to recover fully from the Ryuk virus, critical services were restored rapidly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer deliverables."
Throughout the next couple of weeks important milestones in the recovery process were achieved in close cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Server exceeding four million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% recovered.
- A new Palo Alto 850 security appliance was installed.
- Nearly all of the user PCs were operational.
"Much of what transpired those first few days is mostly a haze for me, but I will not soon forget the dedication each and every one of the team accomplished to help get our company back. Iíve trusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."
A probable business disaster was averted due to results-oriented experts, a wide spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware virus attack detailed here could have been identified and blocked with modern security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed security procedures for information protection and applying software patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), Iím grateful for making it so I could get some sleep after we got over the first week. Everyone did an amazing job, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist