Ransomware : Your Feared IT Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with daily as yet unnamed viruses, not only encrypt on-line information but also infect all available system restores and backups. Information replicated to cloud environments can also be ransomed. In a poorly architected system, this can render automated recovery useless and effectively knocks the network back to square one.
Retrieving services and information after a ransomware intrusion becomes a race against the clock as the targeted business struggles to stop the spread and clear the ransomware and to resume mission-critical activity. Because ransomware requires time to spread, attacks are often launched during weekends and nights, when penetrations are likely to take more time to notice. This multiplies the difficulty of promptly marshalling and organizing an experienced mitigation team.
Progent has a range of help services for securing Ribeirão Preto enterprises from crypto-ransomware attacks. These include staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities to rapidly identify and disable day-zero cyber attacks. Progent also provides the services of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to unencrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The alternative is to re-install the key elements of your Information Technology environment. Absent access to complete data backups, this calls for a broad complement of skills, top notch team management, and the willingness to work 24x7 until the job is completed.
For two decades, Progent has provided expert IT services for businesses throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise provides Progent the capability to efficiently determine necessary systems and integrate the remaining pieces of your network environment following a ransomware attack and rebuild them into an operational network.
Progent's recovery group utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to put key applications back online as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer sought out Progent after their company was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting strategies leaked from America's National Security Agency. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with around 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing processes. Most of the client's backups had been on-line at the start of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and praying for good luck, but ultimately brought in Progent.
"I cannot say enough in regards to the help Progent gave us during the most critical time of (our) company's existence. We would have paid the cybercriminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail and critical servers back into operation quicker than 1 week was amazing. Each staff member I talked with or communicated with at Progent was absolutely committed on getting us restored and was working 24 by 7 to bail us out."
Progent worked with the client to quickly understand and prioritize the critical elements that had to be recovered in order to continue company functions:
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and clearing up compromised systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businesses' MRP software used SQL Server, which requires Active Directory services for security authorization to the information.
- Active Directory
- Microsoft Exchange Email
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of key applications. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user workstations in order to recover email information. A recent off-line backup of the client's accounting/ERP systems made it possible to return these essential programs back online for users. Although major work was left to recover totally from the Ryuk damage, the most important services were restored rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer sales."
Throughout the following few weeks important milestones in the restoration process were completed in tight collaboration between Progent engineers and the client:
- Self-hosted web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user workstations were fully operational.
"So much of what occurred in the initial days is mostly a blur for me, but I will not forget the commitment each of your team put in to help get our company back. I've been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was the most impressive ever."
A potential enterprise-killing disaster was avoided due to hard-working professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here should have been shut down with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and properly executed security procedures for information backup and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for allowing me to get rested after we made it past the most critical parts. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Ribeirão Preto
For ransomware system recovery expertise in the Ribeirão Preto metro area, call Progent at 800-462-8800 or go to Contact Progent.