Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that represents an existential threat for businesses unprepared for an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with additional as yet unnamed newcomers, not only do encryption of on-line critical data but also infect most accessible system backups. Information replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, it can render automated recovery impossible and effectively knocks the datacenter back to square one.
Restoring applications and information after a ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage and clear the virus and to resume enterprise-critical activity. Because ransomware needs time to spread, attacks are frequently sprung during nights and weekends, when attacks tend to take more time to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.
Progent provides an assortment of support services for securing Virginia Beach businesses from crypto-ransomware events. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat defense to identify and disable day-zero malware assaults. Progent also provides the assistance of expert ransomware recovery consultants with the talent and commitment to re-deploy a compromised system as urgently as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher all your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to piece back together the vital components of your Information Technology environment. Without access to full information backups, this requires a broad range of skills, professional project management, and the ability to work continuously until the job is completed.
For decades, Progent has provided professional IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience provides Progent the capability to quickly determine necessary systems and integrate the surviving pieces of your Information Technology system after a ransomware attack and assemble them into an operational network.
Progent's security group utilizes best of breed project management tools to orchestrate the complex recovery process. Progent understands the urgency of working swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to put key applications back on line as fast as humanly possible.
Business Case Study: A Successful Ransomware Attack Restoration
A small business hired Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly using techniques exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has around 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and praying for the best, but ultimately engaged Progent.
"I cannot say enough about the care Progent gave us during the most fearful period of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent group afforded us. That you were able to get our e-mail and important servers back on-line quicker than 1 week was earth shattering. Every single person I spoke to or e-mailed at Progent was urgently focused on getting us restored and was working non-stop on our behalf."
Progent worked with the client to rapidly understand and prioritize the essential systems that needed to be recovered in order to resume business functions:
To start, Progent adhered to AV/Malware Processes event response best practices by halting the spread and disinfecting systems. Progent then began the steps of restoring Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Exchange email will not operate without Windows AD, and the businesses' accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory services for security authorization to the information.
- Microsoft Active Directory
- Microsoft Exchange Server
In less than two days, Progent was able to recover Active Directory to its pre-virus state. Progent then completed reinstallations and hard drive recovery of the most important applications. All Microsoft Exchange Server data and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Folder Files) on various workstations to recover email information. A not too old offline backup of the client's manufacturing systems made it possible to restore these required applications back online. Although significant work needed to be completed to recover totally from the Ryuk event, essential systems were restored quickly:
"For the most part, the assembly line operation was never shut down and we produced all customer shipments."
Over the following few weeks critical milestones in the restoration project were accomplished through tight collaboration between Progent team members and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were fully operational.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user desktops were functioning as before the incident.
"Much of what occurred in the early hours is mostly a blur for me, but I will not soon forget the countless hours all of you put in to give us our company back. I've trusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a life saver."
A possible enterprise-killing catastrophe was avoided by top-tier professionals, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been identified and blocked with advanced security technology and best practices, user education, and well designed incident response procedures for information backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it through the initial fire. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Virginia Beach
For ransomware system recovery consulting services in the Virginia Beach metro area, phone Progent at 800-462-8800 or go to Contact Progent.