Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyberplague that poses an enterprise-level threat for organizations unprepared for an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus frequent as yet unnamed malware, not only encrypt on-line information but also infect many accessible system backup. Files replicated to the cloud can also be ransomed. In a poorly architected system, it can render any restoration useless and basically sets the entire system back to square one.
Getting back online applications and information after a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to spread, attacks are often sprung on weekends and holidays, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of quickly marshalling and orchestrating a capable response team.
Progent has an assortment of help services for securing San Juan businesses from ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with AI capabilities to quickly detect and quarantine zero-day threats. Progent also offers the services of seasoned crypto-ransomware recovery engineers with the track record and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt all your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the vital parts of your IT environment. Absent access to essential system backups, this requires a broad complement of skills, professional team management, and the willingness to work continuously until the task is finished.
For decades, Progent has provided expert IT services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise affords Progent the capability to efficiently ascertain critical systems and consolidate the surviving parts of your Information Technology environment after a crypto-ransomware attack and rebuild them into a functioning system.
Progent's recovery team utilizes top notch project management tools to coordinate the complicated recovery process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get essential systems back online as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Response
A customer hired Progent after their company was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored hackers, possibly adopting algorithms leaked from Americaís NSA organization. Ryuk goes after specific organizations with little tolerance for operational disruption and is among the most profitable incarnations of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
"I canít tell you enough about the help Progent gave us throughout the most critical time of (our) businesses existence. We had little choice but to pay the hackers behind this attack if it wasnít for the confidence the Progent team afforded us. That you could get our e-mail system and critical servers back online quicker than five days was beyond my wildest dreams. Each staff member I talked with or messaged at Progent was amazingly focused on getting our company operational and was working breakneck pace on our behalf."
Progent worked together with the customer to rapidly identify and prioritize the key services that had to be addressed in order to continue departmental functions:
To begin, Progent followed AV/Malware Processes event response best practices by stopping the spread and performing virus removal steps. Progent then started the task of restoring Microsoft AD, the heart of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without AD, and the customerís financials and MRP applications utilized SQL Server, which depends on Windows AD for access to the information.
- Windows Active Directory
- Electronic Messaging
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on user PCs and laptops in order to recover mail messages. A not too old offline backup of the client's accounting/MRP systems made them able to restore these essential applications back online. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were returned to operations rapidly:
"For the most part, the production operation survived unscathed and we made all customer sales."
Throughout the following month key milestones in the recovery process were completed in close cooperation between Progent engineers and the client:
- In-house web applications were brought back up with no loss of information.
- The MailStore Server with over 4 million archived emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
- A new Palo Alto 850 security appliance was installed and configured.
- Nearly all of the desktop computers were fully operational.
"Much of what was accomplished in the initial days is mostly a fog for me, but our team will not soon forget the urgency all of the team put in to give us our business back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."
A potential enterprise-killing disaster was averted by dedicated professionals, a wide spectrum of IT skills, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here could have been shut down with advanced security technology and NIST Cybersecurity Framework best practices, team training, and well designed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thank you for making it so I could get rested after we got through the first week. All of you did an impressive effort, and if anyone is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist