Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line data but also infect many accessible system restores and backups. Files synchronized to the cloud can also be ransomed. In a poorly architected data protection solution, it can render automatic restoration hopeless and effectively knocks the entire system back to zero.
Retrieving applications and data after a ransomware outage becomes a sprint against time as the targeted organization fights to stop lateral movement and remove the virus and to restore mission-critical operations. Because ransomware requires time to move laterally, attacks are often launched during weekends and nights, when penetrations may take longer to identify. This compounds the difficulty of quickly mobilizing and orchestrating a capable mitigation team.
Progent makes available a variety of support services for protecting Porto Alegre organizations from crypto-ransomware penetrations. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with machine learning capabilities to rapidly discover and extinguish new cyber attacks. Progent in addition can provide the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to restore a breached system as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed keys to decrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The fallback is to re-install the essential elements of your IT environment. Without access to complete system backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the job is complete.
For two decades, Progent has offered professional IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the capability to efficiently understand critical systems and re-organize the surviving parts of your IT system following a crypto-ransomware event and rebuild them into a functioning network.
Progent's ransomware team of experts deploys best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get essential systems back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, suspected of using strategies exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited room for disruption and is one of the most profitable iterations of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end brought in Progent.
"I cannot speak enough in regards to the support Progent gave us during the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent experts gave us. That you could get our messaging and essential applications back on-line faster than five days was beyond my wildest dreams. Every single staff member I interacted with or texted at Progent was amazingly focused on getting us back online and was working all day and night on our behalf."
Progent worked together with the customer to quickly identify and prioritize the most important areas that had to be addressed in order to continue company functions:
To begin, Progent adhered to ransomware incident mitigation industry best practices by stopping the spread and removing active viruses. Progent then started the steps of bringing back online Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's accounting and MRP system utilized SQL Server, which depends on Active Directory services for access to the information.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery on critical systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on various workstations in order to recover email messages. A recent offline backup of the customer’s accounting software made it possible to recover these required applications back online for users. Although a large amount of work remained to recover fully from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the assembly line operation was never shut down and we did not miss any customer deliverables."
Over the following few weeks important milestones in the restoration project were achieved through close collaboration between Progent team members and the customer:
- In-house web applications were returned to operation without losing any information.
- The MailStore Exchange Server exceeding 4 million historical emails was brought online and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100 percent recovered.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the user PCs were functioning as before the incident.
"A huge amount of what occurred during the initial response is mostly a haze for me, but we will not soon forget the urgency each and every one of the team put in to help get our business back. I’ve trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
A potential business-killing disaster was evaded through the efforts of hard-working experts, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here would have been identified and stopped with current cyber security solutions and security best practices, staff education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it past the first week. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Porto Alegre
For ransomware system restoration consulting in the Porto Alegre metro area, call Progent at 800-462-8800 or see Contact Progent.