Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses poorly prepared for an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause havoc. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as daily as yet unnamed viruses, not only do encryption of on-line information but also infect many configured system protection mechanisms. Information synched to cloud environments can also be rendered useless. In a poorly designed system, it can make automatic restore operations useless and basically sets the network back to square one.
Getting back online applications and data after a ransomware event becomes a sprint against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are frequently launched during weekends and nights, when successful penetrations typically take longer to recognize. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent offers a range of solutions for protecting Virginia Beach organizations from crypto-ransomware events. These include team member training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to identify and suppress zero-day modern malware attacks. Progent also can provide the assistance of experienced ransomware recovery professionals with the track record and commitment to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to piece back together the essential parts of your IT environment. Without access to essential information backups, this requires a broad range of IT skills, professional team management, and the capability to work continuously until the task is finished.
For decades, Progent has provided certified expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience gives Progent the capability to rapidly determine necessary systems and re-organize the remaining components of your computer network system following a crypto-ransomware attack and assemble them into an operational system.
Progent's recovery group uses powerful project management systems to coordinate the sophisticated restoration process. Progent understands the importance of acting swiftly and in concert with a customer's management and IT staff to assign priority to tasks and to put the most important applications back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Response
A client engaged Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, possibly using approaches leaked from the United States National Security Agency. Ryuk seeks specific organizations with little room for operational disruption and is one of the most profitable iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for the best, but in the end brought in Progent.
"I cannot thank you enough in regards to the expertise Progent provided us throughout the most critical period of (our) company's existence. We would have paid the cybercriminals if it wasn't for the confidence the Progent team gave us. The fact that you could get our e-mail and key applications back into operation faster than seven days was beyond my wildest dreams. Every single expert I got help from or communicated with at Progent was amazingly focused on getting our system up and was working at all hours on our behalf."
Progent worked with the customer to rapidly get our arms around and prioritize the key systems that had to be restored to make it possible to resume company functions:
To begin, Progent adhered to ransomware penetration mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then initiated the task of restoring Microsoft AD, the core of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the client's financials and MRP system used SQL Server, which depends on Active Directory services for access to the database.
- Microsoft Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery of mission critical servers. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Offline Data Files) on various workstations and laptops to recover mail information. A recent off-line backup of the businesses accounting/ERP systems made it possible to restore these required applications back online. Although major work needed to be completed to recover fully from the Ryuk damage, critical services were recovered quickly:
"For the most part, the production operation never missed a beat and we did not miss any customer shipments."
Over the following month key milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Server containing more than 4 million archived messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory Control functions were fully operational.
- A new Palo Alto 850 security appliance was deployed.
- 90% of the desktop computers were fully operational.
"Much of what was accomplished that first week is mostly a fog for me, but I will not soon forget the care each and every one of your team accomplished to give us our business back. I have entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This time was the most impressive ever."
A possible company-ending catastrophe was dodged by hard-working professionals, a broad spectrum of IT skills, and close collaboration. Although in hindsight the crypto-ransomware virus incident described here could have been identified and blocked with modern security systems and recognized best practices, staff training, and properly executed incident response procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for making it so I could get rested after we made it past the initial fire. All of you did an amazing effort, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Virginia Beach
For ransomware cleanup consulting services in the Virginia Beach metro area, phone Progent at 800-462-8800 or see Contact Progent.