Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an existential threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more unnamed newcomers, not only do encryption of online information but also infect all configured system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render automatic restore operations impossible and basically sets the network back to zero.
Retrieving applications and information following a ransomware attack becomes a sprint against the clock as the victim fights to contain the damage and cleanup the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to spread, penetrations are frequently sprung during weekends and nights, when penetrations may take more time to notice. This multiplies the difficulty of quickly mobilizing and organizing a capable mitigation team.
Progent makes available a range of services for protecting Boston businesses from ransomware penetrations. These include team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat defense to detect and quarantine day-zero modern malware attacks. Progent in addition offers the assistance of veteran ransomware recovery engineers with the talent and perseverance to rebuild a compromised environment as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The other path is to setup from scratch the mission-critical components of your Information Technology environment. Absent access to essential system backups, this requires a broad complement of skill sets, professional project management, and the capability to work 24x7 until the job is complete.
For twenty years, Progent has made available professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently determine necessary systems and consolidate the surviving pieces of your computer network environment after a ransomware attack and configure them into an operational system.
Progent's security team utilizes state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to get essential systems back online as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A business sought out Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is one of the most profitable incarnations of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end called Progent.
"I cannot speak enough in regards to the expertise Progent gave us throughout the most critical time of (our) company's existence. We had little choice but to pay the Hackers except for the confidence the Progent experts provided us. That you could get our e-mail and important servers back on-line sooner than five days was something I thought impossible. Each expert I worked with or e-mailed at Progent was amazingly focused on getting us working again and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to rapidly understand and prioritize the most important systems that had to be recovered in order to restart departmental operations:
To get going, Progent followed Anti-virus incident response best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the process of rebuilding Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL, which requires Active Directory services for authentication to the data.
- Active Directory
- Electronic Messaging
Within 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery on mission critical systems. All Exchange ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover email data. A not too old offline backup of the customer's accounting/ERP systems made it possible to recover these essential programs back on-line. Although significant work remained to recover completely from the Ryuk damage, critical systems were returned to operations quickly:
"For the most part, the assembly line operation did not miss a beat and we delivered all customer deliverables."
During the following couple of weeks important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the customer:
- In-house web applications were restored with no loss of data.
- The MailStore Exchange Server containing more than 4 million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user PCs were fully operational.
"A lot of what transpired in the early hours is nearly entirely a haze for me, but our team will not forget the countless hours each of your team accomplished to help get our business back. I have utilized Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This event was a stunning achievement."
A possible company-ending disaster was avoided by results-oriented professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in retrospect the ransomware virus incident detailed here should have been identified and blocked with current cyber security systems and NIST Cybersecurity Framework best practices, team education, and well designed security procedures for data protection and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we made it through the most critical parts. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Boston
For ransomware cleanup expertise in the Boston area, call Progent at 800-462-8800 or see Contact Progent.