Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict havoc. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily unnamed newcomers, not only do encryption of on-line critical data but also infect many accessible system backups. Data synchronized to the cloud can also be encrypted. In a poorly architected system, it can render automatic recovery useless and basically sets the network back to zero.
Getting back applications and information after a ransomware outage becomes a race against time as the targeted organization tries its best to contain and cleanup the crypto-ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are usually sprung during weekends and nights, when successful attacks may take longer to discover. This compounds the difficulty of quickly mobilizing and orchestrating an experienced response team.
Progent provides a range of solutions for securing Huntington Beach businesses from ransomware events. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities to intelligently detect and disable zero-day threats. Progent also offers the services of seasoned crypto-ransomware recovery consultants with the track record and perseverance to restore a compromised environment as quickly as possible.
Progent's Ransomware Restoration Help
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the keys to unencrypt any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to re-install the critical components of your Information Technology environment. Without the availability of full data backups, this calls for a broad complement of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered professional Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience provides Progent the skills to efficiently identify critical systems and re-organize the surviving pieces of your Information Technology system following a ransomware attack and rebuild them into a functioning system.
Progent's security team of experts utilizes state-of-the-art project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get essential systems back on-line as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client engaged Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, suspected of adopting techniques exposed from Americaís NSA organization. Ryuk attacks specific companies with little room for disruption and is among the most lucrative incarnations of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and praying for the best, but in the end called Progent.
"I canít thank you enough about the help Progent provided us during the most fearful time of (our) businesses survival. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent experts provided us. That you were able to get our e-mail and essential applications back quicker than seven days was earth shattering. Each expert I got help from or texted at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly assess and assign priority to the critical systems that had to be recovered in order to restart business functions:
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and removing active viruses. Progent then began the process of restoring Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the client's financials and MRP applications used Microsoft SQL, which requires Windows AD for access to the database.
- Microsoft Active Directory
- Electronic Mail
In less than two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then accomplished reinstallations and storage recovery of critical applications. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Off-Line Folder Files) on user desktop computers to recover email information. A recent offline backup of the client's accounting software made them able to recover these essential programs back servicing users. Although major work needed to be completed to recover fully from the Ryuk event, critical systems were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we delivered all customer deliverables."
Throughout the next month critical milestones in the recovery process were made through tight collaboration between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than four million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully operational.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the desktop computers were fully operational.
"A lot of what happened that first week is mostly a fog for me, but I will not soon forget the care each and every one of your team put in to give us our business back. I have been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This situation was a Herculean accomplishment."
A likely business-ending disaster was evaded with results-oriented experts, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus attack detailed here would have been identified and disabled with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, user education, and appropriate security procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), Iím grateful for letting me get rested after we got over the first week. Everyone did an amazing job, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist