Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with daily as yet unnamed viruses, not only encrypt online critical data but also infect all configured system backups. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed environment, this can make automatic recovery hopeless and effectively sets the entire system back to square one.
Recovering applications and data following a ransomware attack becomes a sprint against the clock as the victim struggles to stop the spread and eradicate the virus and to restore business-critical activity. Because crypto-ransomware requires time to spread, attacks are usually launched on weekends and holidays, when successful attacks tend to take more time to discover. This compounds the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.
Progent makes available an assortment of support services for protecting Sorocaba enterprises from ransomware penetrations. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to identify and disable zero-day malware attacks. Progent in addition can provide the services of veteran ransomware recovery consultants with the talent and commitment to reconstruct a compromised network as rapidly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to piece back together the essential elements of your Information Technology environment. Without the availability of full system backups, this calls for a broad complement of IT skills, top notch project management, and the capability to work continuously until the recovery project is completed.
For twenty years, Progent has offered professional IT services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the ability to efficiently identify important systems and consolidate the surviving pieces of your network system after a ransomware event and rebuild them into an operational network.
Progent's recovery team deploys state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent knows the urgency of acting swiftly and in concert with a customer's management and IT team members to prioritize tasks and to get critical systems back on line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Attack Response
A customer sought out Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, possibly adopting algorithms leaked from America's NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable examples of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.
"I cannot tell you enough in regards to the care Progent gave us throughout the most stressful time of (our) businesses survival. We may have had to pay the Hackers if not for the confidence the Progent experts gave us. That you were able to get our messaging and critical servers back online faster than seven days was incredible. Each expert I worked with or e-mailed at Progent was totally committed on getting us back on-line and was working at all hours on our behalf."
Progent worked with the client to quickly identify and assign priority to the critical systems that had to be recovered in order to restart business functions:
To get going, Progent followed ransomware penetration response industry best practices by stopping lateral movement and disinfecting systems. Progent then began the task of bringing back online Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the customer's financials and MRP system leveraged SQL Server, which needs Active Directory services for security authorization to the data.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
In less than two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then assisted with reinstallations and storage recovery of critical applications. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover email information. A recent off-line backup of the client's financials/ERP systems made it possible to recover these required applications back available to users. Although a lot of work was left to recover fully from the Ryuk attack, the most important systems were restored rapidly:
"For the most part, the production line operation never missed a beat and we delivered all customer shipments."
During the following couple of weeks key milestones in the recovery process were accomplished through close collaboration between Progent consultants and the customer:
- Internal web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully functional.
- A new Palo Alto 850 firewall was brought on-line.
- 90% of the desktops and laptops were functioning as before the incident.
"A lot of what occurred in the early hours is mostly a haze for me, but my team will not forget the commitment each and every one of your team accomplished to help get our business back. I've been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This time was the most impressive ever."
A potential company-ending catastrophe was averted due to top-tier experts, a wide array of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus attack described here could have been identified and stopped with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we got through the initial fire. Everyone did an fabulous effort, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Sorocaba
For ransomware system recovery consulting in the Sorocaba metro area, phone Progent at 800-462-8800 or visit Contact Progent.