Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus daily as yet unnamed newcomers, not only do encryption of on-line data files but also infect any available system restores and backups. Files replicated to the cloud can also be corrupted. In a vulnerable environment, it can make automatic restore operations hopeless and basically sets the network back to square one.
Getting back programs and data after a ransomware event becomes a race against time as the victim tries its best to contain and remove the virus and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are often sprung on weekends, when successful attacks tend to take more time to detect. This multiplies the difficulty of rapidly assembling and coordinating an experienced response team.
Progent has a range of help services for protecting Durham organizations from ransomware events. Among these are team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat protection to identify and extinguish zero-day modern malware attacks. Progent also offers the assistance of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a compromised environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to piece back together the key components of your IT environment. Without the availability of full data backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work non-stop until the task is complete.
For twenty years, Progent has offered expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise affords Progent the skills to quickly understand critical systems and re-organize the surviving parts of your network environment following a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware group utilizes state-of-the-art project management systems to coordinate the complex recovery process. Progent understands the importance of acting quickly and in concert with a client's management and IT team members to prioritize tasks and to get the most important applications back on line as fast as possible.
Customer Story: A Successful Ransomware Incident Restoration
A small business sought out Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, possibly using techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with little tolerance for operational disruption and is among the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has about 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than $200,000) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I can't speak enough in regards to the support Progent gave us during the most stressful period of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent team provided us. That you were able to get our messaging and essential servers back sooner than five days was something I thought impossible. Each consultant I worked with or texted at Progent was amazingly focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the essential services that needed to be restored to make it possible to resume departmental operations:
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the steps of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' accounting and MRP system leveraged Microsoft SQL Server, which depends on Active Directory services for access to the databases.
- Active Directory
- Exchange Server
Within two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of essential systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover email messages. A recent off-line backup of the client's accounting software made them able to restore these vital applications back online for users. Although major work was left to recover fully from the Ryuk event, the most important systems were recovered rapidly:
"For the most part, the assembly line operation survived unscathed and we did not miss any customer deliverables."
Over the following few weeks key milestones in the restoration process were completed through tight collaboration between Progent team members and the customer:
- Internal web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were fully functional.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the user PCs were being used by staff.
"A huge amount of what occurred in the early hours is mostly a haze for me, but we will not forget the commitment all of you put in to help get our company back. I've utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."
A possible enterprise-killing disaster was dodged through the efforts of top-tier professionals, a broad array of knowledge, and tight teamwork. Although in post mortem the ransomware incident detailed here should have been stopped with up-to-date cyber security technology and security best practices, user education, and appropriate security procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we got over the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Durham
For ransomware system restoration expertise in the Durham metro area, call Progent at 800-462-8800 or visit Contact Progent.