Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations vulnerable to an attack. Versions of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as additional unnamed viruses, not only do encryption of online files but also infect all accessible system backups. Information synched to cloud environments can also be rendered useless. In a vulnerable environment, it can render any recovery useless and effectively sets the datacenter back to zero.
Getting back on-line programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and remove the ransomware and to restore enterprise-critical operations. Since ransomware takes time to move laterally, penetrations are usually launched at night, when successful penetrations tend to take longer to detect. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.
Progent has a variety of help services for protecting Hartford enterprises from ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to detect and extinguish day-zero modern malware attacks. Progent also provides the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Ransomware Recovery Support Services
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to decrypt any of your information. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to re-install the critical components of your Information Technology environment. Absent access to complete information backups, this requires a broad complement of skills, top notch team management, and the capability to work 24x7 until the job is complete.
For twenty years, Progent has offered professional IT services for businesses throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to efficiently determine critical systems and consolidate the surviving components of your Information Technology system after a crypto-ransomware event and configure them into an operational network.
Progent's ransomware team utilizes powerful project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to put the most important applications back on line as soon as humanly possible.
Customer Story: A Successful Ransomware Virus Restoration
A customer escalated to Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, possibly using strategies exposed from America's National Security Agency. Ryuk goes after specific businesses with little or no room for disruption and is among the most lucrative instances of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.
"I can't thank you enough in regards to the expertise Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent group gave us. That you were able to get our messaging and important applications back into operation faster than one week was beyond my wildest dreams. Each consultant I interacted with or e-mailed at Progent was laser focused on getting my company operational and was working 24 by 7 on our behalf."
Progent worked with the customer to quickly assess and prioritize the critical elements that had to be addressed in order to continue business functions:
To begin, Progent adhered to Anti-virus incident response industry best practices by isolating and disinfecting systems. Progent then started the work of restoring Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customer's MRP applications used Microsoft SQL, which requires Active Directory services for authentication to the data.
- Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery of the most important applications. All Exchange ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Offline Folder Files) on user workstations to recover mail information. A recent offline backup of the client's accounting software made them able to restore these required applications back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the assembly line operation did not miss a beat and we made all customer deliverables."
During the following month important milestones in the restoration project were achieved in close cooperation between Progent engineers and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Exchange Server containing more than four million historical emails was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory functions were completely functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Ninety percent of the user workstations were back into operation.
"A lot of what transpired in the early hours is mostly a haze for me, but my management will not forget the care each and every one of you accomplished to give us our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a life saver."
A possible business catastrophe was evaded through the efforts of top-tier experts, a wide array of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack described here could have been stopped with current security technology and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed security procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus defense, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we made it past the most critical parts. All of you did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Hartford
For ransomware system recovery expertise in the Hartford metro area, phone Progent at 800-462-8800 or see Contact Progent.