Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that poses an existential threat for organizations unprepared for an assault. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus additional as yet unnamed malware, not only encrypt online data files but also infect most accessible system protection. Files synchronized to cloud environments can also be rendered useless. In a poorly architected environment, it can render automatic recovery hopeless and basically knocks the datacenter back to zero.
Recovering applications and data after a crypto-ransomware outage becomes a race against time as the targeted business struggles to contain and eradicate the ransomware and to resume mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are frequently sprung on weekends and holidays, when attacks are likely to take more time to detect. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.
Progent makes available a range of solutions for securing Hartford enterprises from ransomware events. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with AI technology to rapidly discover and disable zero-day cyber threats. Progent also offers the assistance of experienced ransomware recovery professionals with the skills and commitment to reconstruct a compromised system as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a crypto-ransomware event, sending the ransom in cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt all your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to setup from scratch the key elements of your IT environment. Absent access to essential data backups, this requires a broad range of IT skills, top notch team management, and the capability to work continuously until the job is done.
For two decades, Progent has provided certified expert IT services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to quickly ascertain necessary systems and integrate the surviving pieces of your network environment following a crypto-ransomware attack and configure them into a functioning system.
Progent's recovery group deploys top notch project management applications to coordinate the complicated restoration process. Progent appreciates the importance of working swiftly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put essential systems back on-line as fast as possible.
Business Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific companies with limited ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately engaged Progent.
"I cannot thank you enough in regards to the care Progent provided us throughout the most stressful period of (our) businesses life. We would have paid the Hackers except for the confidence the Progent group afforded us. That you could get our e-mail system and key applications back quicker than five days was amazing. Each staff member I spoke to or texted at Progent was amazingly focused on getting us operational and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly assess and prioritize the key applications that had to be recovered in order to continue departmental functions:
To start, Progent adhered to ransomware event response industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the steps of restoring Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the client's MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the databases.
- Microsoft Active Directory
In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery on critical applications. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail messages. A not too old offline backup of the businesses financials/ERP systems made it possible to return these essential programs back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk virus, core systems were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we delivered all customer orders."
Over the following couple of weeks critical milestones in the restoration project were completed in tight collaboration between Progent engineers and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Server containing more than four million archived messages was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were completely functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- 90% of the user desktops and notebooks were being used by staff.
"Much of what went on in the early hours is nearly entirely a haze for me, but my management will not forget the urgency all of you put in to help get our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered. This situation was a testament to your capabilities."
A likely business-ending disaster was dodged due to hard-working experts, a broad range of knowledge, and close teamwork. Although in retrospect the ransomware virus penetration described here would have been identified and blocked with up-to-date cyber security solutions and recognized best practices, staff education, and properly executed incident response procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it over the initial push. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Hartford
For ransomware recovery services in the Hartford metro area, phone Progent at 800-462-8800 or go to Contact Progent.