Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses unprepared for an attack. Versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for many years and still cause havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with additional unnamed newcomers, not only do encryption of on-line critical data but also infiltrate any configured system protection mechanisms. Files replicated to cloud environments can also be encrypted. In a poorly designed data protection solution, it can render automated restore operations hopeless and effectively sets the entire system back to zero.
Getting back online programs and data after a crypto-ransomware attack becomes a sprint against time as the victim tries its best to contain and cleanup the crypto-ransomware and to restore business-critical operations. Because ransomware requires time to replicate, penetrations are often sprung on weekends, when successful attacks may take more time to detect. This multiplies the difficulty of promptly mobilizing and orchestrating an experienced response team.
Progent offers a range of support services for protecting Albuquerque businesses from ransomware penetrations. Among these are team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat protection to detect and disable day-zero modern malware attacks. Progent in addition offers the services of experienced crypto-ransomware recovery consultants with the skills and perseverance to re-deploy a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the keys to decipher all your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The fallback is to setup from scratch the vital elements of your IT environment. Without access to essential information backups, this calls for a broad range of skill sets, top notch project management, and the ability to work non-stop until the task is completed.
For two decades, Progent has offered certified expert Information Technology services for companies across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience affords Progent the skills to rapidly determine necessary systems and consolidate the surviving pieces of your IT environment after a crypto-ransomware attack and assemble them into a functioning network.
Progent's security team of experts utilizes top notch project management systems to coordinate the sophisticated restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put essential systems back online as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their company was crashed by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting technology exposed from America's National Security Agency. Ryuk attacks specific organizations with limited room for operational disruption and is one of the most lucrative examples of ransomware malware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk event had paralyzed all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of $200,000) and praying for good luck, but in the end reached out to Progent.
"I cannot thank you enough in regards to the help Progent gave us throughout the most fearful time of (our) company's survival. We most likely would have paid the criminal gangs except for the confidence the Progent group provided us. The fact that you were able to get our messaging and production servers back into operation quicker than a week was something I thought impossible. Every single expert I interacted with or texted at Progent was amazingly focused on getting our system up and was working day and night on our behalf."
Progent worked with the client to rapidly understand and assign priority to the essential systems that needed to be restored in order to resume business functions:
To start, Progent followed AV/Malware Processes event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the task of bringing back online Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the businesses' MRP system leveraged Microsoft SQL, which requires Windows AD for security authorization to the databases.
- Microsoft Active Directory
- Electronic Messaging
Within 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then accomplished rebuilding and storage recovery of critical systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops in order to recover email data. A recent offline backup of the customer's financials/ERP systems made it possible to restore these vital services back servicing users. Although significant work was left to recover fully from the Ryuk event, core systems were restored quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer deliverables."
Throughout the next few weeks critical milestones in the recovery project were completed through tight cooperation between Progent team members and the customer:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Exchange Server exceeding 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"Much of what happened in the early hours is mostly a haze for me, but we will not forget the countless hours each of the team put in to give us our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A likely company-ending catastrophe was averted due to top-tier experts, a broad spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here should have been stopped with current security solutions and security best practices, user training, and properly executed incident response procedures for data backup and applying software patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for letting me get rested after we made it through the first week. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Albuquerque
For ransomware system restoration expertise in the Albuquerque area, call Progent at 800-462-8800 or visit Contact Progent.