Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different iterations of crypto-ransomware such as Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional as yet unnamed viruses, not only encrypt on-line critical data but also infect all available system protection mechanisms. Files replicated to the cloud can also be ransomed. In a poorly architected environment, it can render any restore operations hopeless and basically knocks the network back to zero.
Getting back on-line applications and information following a ransomware outage becomes a race against the clock as the targeted organization tries its best to stop the spread and eradicate the virus and to resume enterprise-critical activity. Due to the fact that crypto-ransomware requires time to replicate, assaults are often sprung on weekends and holidays, when penetrations may take longer to notice. This compounds the difficulty of promptly assembling and orchestrating an experienced response team.
Progent has a range of support services for protecting Durham enterprises from crypto-ransomware attacks. These include user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with artificial intelligence capabilities to automatically identify and quarantine zero-day cyber threats. Progent also can provide the services of seasoned ransomware recovery professionals with the skills and commitment to restore a breached system as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed keys to decipher all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to piece back together the key elements of your IT environment. Absent the availability of essential system backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the job is over.
For decades, Progent has made available expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the skills to efficiently identify critical systems and consolidate the surviving pieces of your network environment following a ransomware penetration and rebuild them into a functioning system.
Progent's ransomware team of experts uses state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of acting swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get essential systems back on line as soon as possible.
Customer Story: A Successful Ransomware Incident Recovery
A business engaged Progent after their organization was attacked by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end reached out to Progent.
"I cannot thank you enough about the care Progent gave us throughout the most critical period of (our) companyís life. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and key applications back into operation in less than a week was earth shattering. Every single expert I spoke to or texted at Progent was amazingly focused on getting our company operational and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to quickly determine and prioritize the critical systems that needed to be addressed in order to restart business functions:
To start, Progent adhered to Anti-virus incident response best practices by halting lateral movement and performing virus removal steps. Progent then initiated the steps of rebuilding Windows Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customerís accounting and MRP system used SQL Server, which depends on Active Directory services for authentication to the databases.
- Active Directory
- Microsoft Exchange
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on key applications. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops to recover mail data. A not too old offline backup of the client's manufacturing software made it possible to restore these required programs back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk damage, core systems were recovered rapidly:
"For the most part, the production line operation never missed a beat and we made all customer orders."
Throughout the next couple of weeks critical milestones in the recovery project were accomplished through close cooperation between Progent consultants and the client:
- Internal web sites were brought back up with no loss of information.
- The MailStore Exchange Server with over four million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- 90% of the user PCs were operational.
"So much of what went on that first week is mostly a fog for me, but my management will not soon forget the countless hours each and every one of your team accomplished to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."
A possible business extinction catastrophe was averted with results-oriented professionals, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack described here would have been shut down with up-to-date cyber security systems and recognized best practices, team training, and appropriate security procedures for data protection and applying software patches, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for letting me get rested after we got through the most critical parts. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist