Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an extinction-level threat for organizations unprepared for an attack. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and still cause havoc. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as more unnamed viruses, not only encrypt online information but also infect many accessible system protection mechanisms. Information synched to the cloud can also be corrupted. In a vulnerable environment, this can render any recovery useless and effectively knocks the network back to zero.
Restoring services and information after a crypto-ransomware attack becomes a sprint against time as the victim fights to stop the spread and eradicate the virus and to resume mission-critical activity. Since ransomware requires time to spread, assaults are frequently sprung at night, when successful penetrations may take more time to notice. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent offers an assortment of help services for protecting Hartford organizations from ransomware attacks. These include user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence technology to automatically identify and extinguish day-zero threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery consultants with the track record and commitment to re-deploy a breached environment as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The other path is to piece back together the vital components of your IT environment. Without access to full data backups, this requires a broad complement of skill sets, top notch team management, and the willingness to work continuously until the recovery project is complete.
For twenty years, Progent has made available expert Information Technology services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the skills to quickly understand necessary systems and consolidate the surviving parts of your computer network system after a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team of experts utilizes state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to put critical systems back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Response
A client engaged Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of using techniques exposed from the U.S. NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is among the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately engaged Progent.
"I cannot speak enough about the expertise Progent provided us throughout the most critical time of (our) businesses existence. We had little choice but to pay the Hackers if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail and important applications back online sooner than a week was amazing. Each person I got help from or messaged at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the client to rapidly determine and prioritize the critical applications that needed to be restored to make it possible to restart business operations:
To start, Progent followed AV/Malware Processes event response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the process of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange messaging will not work without Windows AD, and the client's financials and MRP system utilized Microsoft SQL, which requires Active Directory for authentication to the database.
- Windows Active Directory
In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then performed rebuilding and hard drive recovery on critical systems. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail data. A not too old off-line backup of the client's manufacturing software made them able to return these required services back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, the most important services were restored quickly:
"For the most part, the manufacturing operation survived unscathed and we produced all customer shipments."
During the following month critical milestones in the restoration process were accomplished in tight cooperation between Progent team members and the customer:
- Internal web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were completely operational.
- A new Palo Alto 850 firewall was installed.
- Nearly all of the desktops and laptops were fully operational.
"A huge amount of what transpired in the initial days is nearly entirely a blur for me, but our team will not soon forget the urgency each of the team put in to help get our company back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."
A likely company-ending disaster was avoided by results-oriented experts, a wide spectrum of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware virus incident detailed here would have been identified and prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, team education, and properly executed security procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get rested after we made it over the initial push. All of you did an fabulous effort, and if anyone is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist