Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of on-line files but also infiltrate most available system protection mechanisms. Information synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can make automated recovery useless and effectively knocks the network back to square one.
Getting back on-line applications and information after a crypto-ransomware outage becomes a race against time as the targeted organization tries its best to stop the spread and clear the virus and to resume business-critical activity. Since ransomware needs time to spread, attacks are usually sprung on weekends, when successful attacks typically take more time to detect. This compounds the difficulty of quickly marshalling and orchestrating a capable response team.
Progent offers a range of help services for protecting Chandler organizations from ransomware attacks. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology to automatically detect and disable day-zero threats. Progent also can provide the assistance of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a breached environment as urgently as possible.
Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to decipher any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The alternative is to setup from scratch the critical parts of your IT environment. Without the availability of complete information backups, this requires a broad complement of skill sets, professional project management, and the ability to work continuously until the recovery project is complete.
For two decades, Progent has offered certified expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to rapidly ascertain important systems and re-organize the surviving components of your Information Technology environment after a crypto-ransomware event and configure them into a functioning system.
Progent's recovery group utilizes best of breed project management applications to coordinate the complicated recovery process. Progent understands the importance of working quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put essential applications back on-line as soon as humanly possible.
Case Study: A Successful Ransomware Attack Response
A small business hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly adopting algorithms leaked from Americaís NSA organization. Ryuk attacks specific organizations with little room for disruption and is among the most profitable incarnations of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for good luck, but in the end called Progent.
"I cannot thank you enough about the care Progent provided us during the most stressful period of (our) companyís survival. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and critical applications back online sooner than five days was amazing. Each expert I got help from or communicated with at Progent was totally committed on getting us working again and was working breakneck pace to bail us out."
Progent worked hand in hand the client to quickly assess and prioritize the most important services that needed to be recovered in order to resume departmental functions:
To get going, Progent adhered to AV/Malware Processes event response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the work of recovering Windows Active Directory, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without AD, and the customerís financials and MRP system used SQL Server, which needs Windows AD for access to the databases.
- Active Directory (AD)
In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on mission critical applications. All Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Folder Files) on user desktop computers and laptops in order to recover email information. A not too old off-line backup of the businesses financials/ERP software made them able to restore these essential services back online. Although a large amount of work was left to recover fully from the Ryuk virus, the most important services were restored rapidly:
"For the most part, the manufacturing operation was never shut down and we did not miss any customer shipments."
Throughout the following few weeks important milestones in the restoration process were achieved through close cooperation between Progent engineers and the client:
- Internal web applications were returned to operation without losing any information.
- The MailStore Server with over 4 million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the desktops and laptops were back into operation.
"A lot of what transpired in the initial days is mostly a blur for me, but we will not soon forget the dedication each and every one of you accomplished to help get our business back. I have been working with Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was a stunning achievement."
A likely business-killing disaster was evaded through the efforts of dedicated professionals, a wide range of knowledge, and close collaboration. Although in hindsight the crypto-ransomware attack detailed here could have been shut down with advanced security systems and security best practices, team education, and well designed incident response procedures for backup and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we made it past the most critical parts. All of you did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist