Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still cause damage. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus frequent as yet unnamed viruses, not only do encryption of online critical data but also infiltrate many configured system protection mechanisms. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, this can make automated recovery impossible and basically sets the datacenter back to square one.
Getting back on-line applications and information following a crypto-ransomware attack becomes a race against time as the targeted organization fights to stop lateral movement and clear the virus and to restore enterprise-critical operations. Since ransomware requires time to move laterally, attacks are often sprung on weekends, when successful attacks tend to take longer to discover. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.
Progent makes available a variety of solutions for protecting Huntington Beach organizations from ransomware events. These include user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to discover and extinguish day-zero modern malware attacks. Progent in addition offers the services of seasoned crypto-ransomware recovery professionals with the skills and commitment to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decipher any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to re-install the essential parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is done.
For two decades, Progent has offered professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the capability to rapidly ascertain critical systems and organize the surviving components of your computer network system after a ransomware event and assemble them into an operational network.
Progent's ransomware team uses state-of-the-art project management tools to orchestrate the complicated recovery process. Progent understands the importance of working rapidly and together with a customer's management and IT team members to prioritize tasks and to get key applications back on line as fast as possible.
Business Case Study: A Successful Ransomware Incident Recovery
A customer hired Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored hackers, suspected of using approaches leaked from the United States NSA organization. Ryuk attacks specific companies with little tolerance for operational disruption and is among the most profitable examples of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the intrusion and were encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately reached out to Progent.
"I can't tell you enough in regards to the expertise Progent gave us during the most critical period of (our) businesses survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team gave us. That you were able to get our e-mail system and critical servers back into operation in less than a week was something I thought impossible. Every single person I talked with or messaged at Progent was laser focused on getting our system up and was working all day and night to bail us out."
Progent worked hand in hand the client to rapidly determine and prioritize the most important applications that had to be addressed to make it possible to resume company functions:
To begin, Progent followed Anti-virus event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the process of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Windows AD, and the customer's accounting and MRP applications used Microsoft SQL, which requires Active Directory services for authentication to the data.
- Active Directory
- Exchange Server
Within 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated rebuilding and storage recovery of needed systems. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Offline Data Files) on various PCs and laptops in order to recover mail messages. A recent off-line backup of the client's manufacturing software made them able to recover these essential services back online for users. Although significant work needed to be completed to recover fully from the Ryuk virus, essential services were restored rapidly:
"For the most part, the production operation survived unscathed and we delivered all customer shipments."
During the next few weeks important milestones in the recovery project were accomplished in close cooperation between Progent engineers and the customer:
- In-house web sites were restored without losing any data.
- The MailStore Server with over 4 million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were fully operational.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the user desktops were functioning as before the incident.
"A lot of what transpired that first week is mostly a blur for me, but my management will not soon forget the care each of the team put in to give us our company back. I've been working together with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This situation was no exception but maybe more Herculean."
A likely business-killing disaster was avoided by hard-working experts, a broad array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus attack described here should have been shut down with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), I'm grateful for making it so I could get rested after we got over the most critical parts. Everyone did an impressive effort, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Huntington Beach
For ransomware system restoration expertise in the Huntington Beach metro area, call Progent at 800-462-8800 or go to Contact Progent.