Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses unprepared for an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate most configured system protection mechanisms. Data replicated to cloud environments can also be rendered useless. In a poorly architected environment, it can make automatic restore operations hopeless and basically knocks the datacenter back to square one.
Restoring services and information after a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume enterprise-critical operations. Due to the fact that crypto-ransomware needs time to spread, assaults are usually launched during nights and weekends, when penetrations may take more time to identify. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.
Progent offers an assortment of support services for securing Durham businesses from crypto-ransomware events. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to identify and quarantine zero-day modern malware attacks. Progent in addition provides the assistance of expert ransomware recovery engineers with the talent and commitment to rebuild a breached system as quickly as possible.
Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the codes to decipher any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to re-install the critical elements of your IT environment. Absent the availability of complete system backups, this calls for a broad range of skill sets, top notch team management, and the ability to work continuously until the task is complete.
For twenty years, Progent has provided professional IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience affords Progent the ability to rapidly understand important systems and organize the remaining parts of your Information Technology environment after a ransomware event and assemble them into an operational system.
Progent's recovery team of experts uses top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of acting swiftly and together with a customer's management and IT team members to prioritize tasks and to get critical services back on-line as soon as possible.
Client Case Study: A Successful Ransomware Penetration Restoration
A small business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of adopting strategies leaked from America's National Security Agency. Ryuk seeks specific companies with limited ability to sustain operational disruption and is one of the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (more than $200,000) and praying for the best, but in the end made the decision to use Progent.
"I cannot tell you enough in regards to the expertise Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and key applications back into operation quicker than 1 week was incredible. Each person I spoke to or communicated with at Progent was hell bent on getting my company operational and was working 24/7 to bail us out."
Progent worked hand in hand the customer to quickly identify and assign priority to the most important systems that needed to be recovered in order to continue departmental operations:
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then started the work of bringing back online Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not function without AD, and the businesses' MRP applications utilized Microsoft SQL, which depends on Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of critical servers. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Offline Folder Files) on user PCs and laptops to recover email messages. A not too old offline backup of the businesses manufacturing software made it possible to return these vital applications back online for users. Although significant work was left to recover completely from the Ryuk event, essential services were returned to operations rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."
Throughout the next month key milestones in the recovery process were completed in tight cooperation between Progent engineers and the customer:
- Internal web applications were returned to operation without losing any data.
- The MailStore Exchange Server containing more than four million archived messages was spun up and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the user PCs were being used by staff.
"A lot of what transpired during the initial response is nearly entirely a blur for me, but we will not soon forget the commitment each and every one of you put in to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This situation was a Herculean accomplishment."
A likely business-ending catastrophe was evaded through the efforts of top-tier professionals, a broad array of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack described here should have been blocked with modern cyber security technology and security best practices, user education, and well designed security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get rested after we made it over the first week. All of you did an amazing effort, and if anyone that helped is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Durham
For ransomware recovery services in the Durham area, phone Progent at 800-462-8800 or go to Contact Progent.