Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus more unnamed newcomers, not only do encryption of online information but also infiltrate any configured system protection mechanisms. Information replicated to cloud environments can also be ransomed. In a vulnerable environment, it can make automated restoration hopeless and basically knocks the entire system back to square one.
Getting back online services and information following a crypto-ransomware event becomes a sprint against time as the targeted organization struggles to contain and remove the virus and to resume enterprise-critical activity. Since crypto-ransomware takes time to move laterally, assaults are frequently sprung on weekends, when penetrations tend to take longer to recognize. This multiplies the difficulty of promptly assembling and orchestrating a qualified mitigation team.
Progent has a range of support services for protecting Ribeirão Preto enterprises from ransomware events. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with AI capabilities to rapidly discover and disable new cyber threats. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decipher any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to re-install the critical elements of your IT environment. Absent the availability of essential system backups, this calls for a broad complement of skills, professional project management, and the ability to work continuously until the task is done.
For twenty years, Progent has provided professional IT services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine important systems and organize the surviving parts of your network system following a ransomware penetration and assemble them into a functioning network.
Progent's security team of experts has top notch project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get the most important systems back online as fast as possible.
Customer Story: A Successful Ransomware Penetration Restoration
A business contacted Progent after their network was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, possibly using approaches exposed from America’s NSA organization. Ryuk attacks specific companies with limited ability to sustain disruption and is one of the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I cannot speak enough about the expertise Progent gave us throughout the most critical time of (our) company’s life. We would have paid the Hackers if not for the confidence the Progent team provided us. That you were able to get our e-mail and important servers back on-line sooner than seven days was earth shattering. Each expert I interacted with or messaged at Progent was laser focused on getting us working again and was working 24 by 7 to bail us out."
Progent worked together with the client to rapidly understand and prioritize the most important areas that needed to be restored to make it possible to restart departmental functions:
To get going, Progent followed ransomware incident mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then started the process of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the customer’s MRP system leveraged SQL Server, which depends on Active Directory for access to the information.
- Windows Active Directory
- Electronic Messaging
- MRP System
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then accomplished setup and hard drive recovery of essential servers. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST data files (Outlook Off-Line Folder Files) on various workstations and laptops to recover mail data. A not too old off-line backup of the businesses accounting/MRP systems made them able to recover these vital programs back online for users. Although major work remained to recover fully from the Ryuk attack, essential services were returned to operations quickly:
"For the most part, the production operation ran fairly normal throughout and we did not miss any customer shipments."
During the next month key milestones in the recovery project were accomplished through close cooperation between Progent consultants and the client:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory functions were fully functional.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user desktops and notebooks were being used by staff.
"So much of what transpired in the initial days is mostly a fog for me, but we will not forget the urgency all of the team put in to give us our company back. I’ve been working together with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."
A possible business extinction catastrophe was dodged with results-oriented experts, a broad range of knowledge, and tight collaboration. Although in hindsight the ransomware incident described here could have been identified and prevented with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and well designed incident response procedures for data backup and applying software patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it past the most critical parts. All of you did an fabulous job, and if any of your team is visiting the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist