Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that represents an existential threat for businesses poorly prepared for an attack. Multiple generations of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus frequent as yet unnamed malware, not only do encryption of online files but also infect any configured system backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can make any restoration hopeless and effectively knocks the entire system back to square one.
Retrieving programs and data following a ransomware attack becomes a race against the clock as the targeted organization struggles to stop lateral movement and eradicate the virus and to resume mission-critical activity. Since crypto-ransomware needs time to replicate, assaults are often sprung at night, when penetrations in many cases take more time to notice. This multiplies the difficulty of promptly marshalling and orchestrating a capable mitigation team.
Progent offers a range of services for protecting Midtown Manhattan organizations from crypto-ransomware events. These include staff education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat defense to discover and disable day-zero modern malware attacks. Progent in addition can provide the assistance of experienced ransomware recovery professionals with the skills and perseverance to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to decrypt all your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to re-install the key components of your Information Technology environment. Without access to full data backups, this calls for a wide complement of IT skills, top notch team management, and the capability to work continuously until the task is complete.
For two decades, Progent has offered professional IT services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to knowledgably ascertain critical systems and re-organize the surviving components of your network environment after a ransomware attack and rebuild them into an operational system.
Progent's recovery team of experts utilizes powerful project management tools to coordinate the complicated recovery process. Progent appreciates the urgency of working swiftly and in concert with a client's management and IT staff to prioritize tasks and to put key applications back on-line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer engaged Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, possibly using algorithms exposed from the United States National Security Agency. Ryuk seeks specific companies with little room for disruption and is one of the most lucrative iterations of ransomware malware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago with about 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately engaged Progent.
"I cannot thank you enough about the help Progent gave us during the most critical period of (our) company's survival. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent experts gave us. The fact that you were able to get our messaging and key servers back on-line in less than a week was incredible. Every single consultant I spoke to or texted at Progent was urgently focused on getting us back on-line and was working at all hours on our behalf."
Progent worked hand in hand the client to quickly identify and prioritize the critical areas that needed to be recovered to make it possible to restart company operations:
To get going, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and performing virus removal steps. Progent then started the work of restoring Microsoft AD, the core of enterprise systems built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the customer's accounting and MRP system utilized SQL Server, which depends on Windows AD for authentication to the information.
- Active Directory (AD)
- Exchange Server
- MRP System
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of critical applications. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Offline Data Files) on user desktop computers and laptops in order to recover mail data. A not too old off-line backup of the client's manufacturing software made them able to recover these essential programs back online. Although significant work was left to recover completely from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."
Over the following couple of weeks critical milestones in the restoration project were achieved in close collaboration between Progent team members and the customer:
- In-house web applications were restored without losing any data.
- The MailStore Server exceeding 4 million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the user desktops were operational.
"So much of what was accomplished in the early hours is nearly entirely a fog for me, but I will not forget the countless hours all of the team accomplished to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This event was a life saver."
A potential business catastrophe was avoided due to top-tier professionals, a wide array of IT skills, and tight collaboration. Although in retrospect the ransomware attack described here would have been prevented with modern security solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for backup and applying software patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got through the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Midtown Manhattan
For ransomware system recovery consulting services in the Midtown Manhattan area, phone Progent at 800-462-8800 or go to Contact Progent.