Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes vulnerable to an assault. Versions of crypto-ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus additional as yet unnamed malware, not only do encryption of on-line data files but also infect most accessible system protection. Data synched to the cloud can also be ransomed. In a poorly architected data protection solution, this can make automated restore operations useless and effectively knocks the entire system back to zero.
Retrieving services and information after a ransomware attack becomes a race against the clock as the targeted business tries its best to stop lateral movement and clear the ransomware and to resume business-critical operations. Because crypto-ransomware takes time to spread, assaults are usually launched during weekends and nights, when attacks in many cases take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable response team.
Progent makes available a variety of support services for securing Springfield enterprises from crypto-ransomware penetrations. These include team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning capabilities to quickly discover and disable new cyber attacks. Progent in addition provides the assistance of experienced ransomware recovery consultants with the talent and perseverance to restore a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that distant criminals will return the needed keys to decipher any or all of your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to piece back together the essential parts of your IT environment. Absent access to complete data backups, this requires a broad range of skills, top notch team management, and the willingness to work non-stop until the job is finished.
For two decades, Progent has offered professional IT services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience affords Progent the skills to knowledgably determine important systems and integrate the remaining pieces of your IT environment following a crypto-ransomware attack and rebuild them into a functioning system.
Progent's recovery group utilizes state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent appreciates the urgency of working quickly and together with a customerís management and IT team members to assign priority to tasks and to put critical services back on-line as soon as possible.
Business Case Study: A Successful Ransomware Penetration Restoration
A client hired Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, possibly adopting techniques leaked from the United States NSA organization. Ryuk attacks specific organizations with little ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the intrusion and were damaged. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but in the end called Progent.
"I cannot speak enough in regards to the support Progent provided us throughout the most critical period of (our) companyís survival. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent group provided us. The fact that you could get our e-mail and critical applications back faster than seven days was beyond my wildest dreams. Every single staff member I worked with or communicated with at Progent was totally committed on getting us working again and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to rapidly determine and prioritize the most important applications that had to be recovered to make it possible to resume company operations:
To start, Progent adhered to ransomware incident response industry best practices by isolating and cleaning up infected systems. Progent then started the work of bringing back online Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the client's accounting and MRP system leveraged SQL Server, which depends on Active Directory for security authorization to the database.
- Microsoft Active Directory
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then charged ahead with reinstallations and storage recovery of mission critical servers. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Data Files) on staff PCs and laptops to recover email data. A not too old off-line backup of the businesses accounting software made it possible to return these required services back available to users. Although a lot of work was left to recover completely from the Ryuk attack, core systems were recovered quickly:
"For the most part, the production line operation survived unscathed and we made all customer sales."
Throughout the next month critical milestones in the restoration process were made in close collaboration between Progent engineers and the client:
- Self-hosted web sites were brought back up without losing any data.
- The MailStore Server exceeding 4 million archived emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory modules were 100% functional.
- A new Palo Alto 850 firewall was brought on-line.
- Ninety percent of the user PCs were operational.
"So much of what happened during the initial response is mostly a fog for me, but we will not soon forget the dedication all of the team accomplished to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A possible business-ending disaster was evaded by top-tier experts, a wide range of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been stopped with advanced security systems and security best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get rested after we got over the most critical parts. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist