Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential danger for organizations poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with frequent unnamed viruses, not only do encryption of online data but also infect all configured system backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected data protection solution, it can make any restoration hopeless and basically knocks the datacenter back to square one.
Recovering programs and data after a ransomware event becomes a sprint against time as the targeted business fights to contain the damage and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to move laterally, assaults are frequently sprung during weekends and nights, when attacks may take more time to notice. This compounds the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.
Progent offers an assortment of solutions for protecting Porto Alegre businesses from ransomware attacks. Among these are team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to discover and extinguish day-zero malware attacks. Progent also provides the services of expert ransomware recovery consultants with the track record and commitment to rebuild a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to re-install the key parts of your Information Technology environment. Without the availability of essential information backups, this requires a wide complement of skill sets, professional project management, and the capability to work 24x7 until the task is completed.
For two decades, Progent has made available professional Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to rapidly understand necessary systems and re-organize the surviving pieces of your computer network system after a ransomware event and rebuild them into a functioning network.
Progent's security team of experts utilizes powerful project management applications to coordinate the complex recovery process. Progent knows the urgency of working rapidly and together with a customer's management and Information Technology team members to prioritize tasks and to put key services back on-line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A customer hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, suspected of using techniques exposed from the U.S. National Security Agency. Ryuk seeks specific companies with limited ability to sustain disruption and is one of the most profitable incarnations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end brought in Progent.
"I cannot tell you enough in regards to the help Progent provided us during the most fearful period of (our) businesses existence. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important applications back sooner than five days was incredible. Every single person I got help from or communicated with at Progent was absolutely committed on getting our system up and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to quickly understand and prioritize the most important elements that had to be recovered to make it possible to restart business operations:
To begin, Progent followed ransomware event response industry best practices by halting the spread and cleaning up infected systems. Progent then started the task of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Exchange messaging will not function without Active Directory, and the customer's accounting and MRP software used Microsoft SQL, which requires Active Directory for security authorization to the database.
- Active Directory
- MRP System
Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery on mission critical applications. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover mail information. A recent off-line backup of the customer's accounting/MRP systems made them able to return these required applications back servicing users. Although significant work was left to recover completely from the Ryuk virus, core systems were restored rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer sales."
Throughout the following month critical milestones in the recovery process were accomplished through close cooperation between Progent consultants and the client:
- Internal web applications were brought back up without losing any data.
- The MailStore Exchange Server exceeding 4 million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the user desktops and notebooks were being used by staff.
"So much of what went on that first week is mostly a haze for me, but we will not forget the care each and every one of you put in to give us our company back. I've been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."
A potential company-ending catastrophe was averted due to top-tier professionals, a wide spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware virus penetration detailed here should have been disabled with current cyber security technology solutions and best practices, user and IT administrator training, and appropriate security procedures for information backup and applying software patches, the fact remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for letting me get rested after we got past the initial fire. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Porto Alegre
For ransomware cleanup expertise in the Porto Alegre metro area, phone Progent at 800-462-8800 or visit Contact Progent.