Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses unprepared for an assault. Different versions of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus frequent unnamed viruses, not only do encryption of on-line information but also infect any configured system backups. Files synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can render automated restore operations hopeless and basically sets the entire system back to square one.
Restoring applications and information following a crypto-ransomware attack becomes a sprint against time as the victim fights to contain and cleanup the virus and to resume business-critical operations. Because ransomware requires time to replicate, attacks are usually sprung at night, when successful penetrations typically take longer to recognize. This multiplies the difficulty of rapidly marshalling and organizing an experienced mitigation team.
Progent provides an assortment of solutions for securing Boston organizations from ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with AI capabilities to rapidly identify and extinguish new threats. Progent also provides the services of experienced ransomware recovery consultants with the track record and commitment to reconstruct a breached network as soon as possible.
Progent's Ransomware Restoration Services
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to decrypt all your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to setup from scratch the vital parts of your IT environment. Absent access to essential information backups, this requires a wide complement of skill sets, professional project management, and the ability to work 24x7 until the task is finished.
For decades, Progent has provided professional IT services for businesses across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably determine critical systems and integrate the surviving components of your network environment after a crypto-ransomware attack and rebuild them into an operational network.
Progent's recovery team of experts deploys best of breed project management tools to orchestrate the complicated recovery process. Progent knows the urgency of acting rapidly and in concert with a client's management and Information Technology staff to prioritize tasks and to put critical services back online as fast as possible.
Client Story: A Successful Ransomware Attack Response
A client escalated to Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting approaches leaked from Americaís NSA organization. Ryuk seeks specific companies with limited ability to sustain disruption and is among the most profitable versions of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had disabled all essential operations and manufacturing processes. The majority of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.
"I canít speak enough in regards to the expertise Progent provided us throughout the most critical period of (our) companyís survival. We most likely would have paid the cybercriminals except for the confidence the Progent team afforded us. That you could get our e-mail and key servers back online sooner than one week was something I thought impossible. Every single person I talked with or e-mailed at Progent was hell bent on getting my company operational and was working day and night on our behalf."
Progent worked with the customer to rapidly get our arms around and prioritize the critical areas that had to be restored to make it possible to continue company functions:
To get going, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the task of rebuilding Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the customerís accounting and MRP system used Microsoft SQL Server, which requires Active Directory for access to the databases.
- Active Directory
- Electronic Messaging
- MRP System
Within two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery of essential applications. All Exchange ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST files (Outlook Offline Data Files) on team workstations in order to recover mail data. A recent offline backup of the customerís accounting software made them able to return these required applications back on-line. Although significant work still had to be done to recover completely from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."
During the following month key milestones in the recovery process were accomplished in close cooperation between Progent team members and the client:
- Self-hosted web applications were restored without losing any data.
- The MailStore Server exceeding four million historical emails was spun up and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory Control modules were fully functional.
- A new Palo Alto 850 firewall was set up.
- 90% of the desktops and laptops were functioning as before the incident.
"Much of what transpired in the initial days is nearly entirely a fog for me, but my management will not soon forget the urgency all of the team accomplished to help get our business back. I have utilized Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This situation was a life saver."
A potential business-ending catastrophe was evaded with dedicated experts, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here could have been stopped with advanced cyber security systems and best practices, staff training, and well designed security procedures for information backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we made it through the most critical parts. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Boston
For ransomware system restoration consulting services in the Boston metro area, phone Progent at 800-462-8800 or go to Contact Progent.