Ransomware : Your Worst IT Catastrophe
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause havoc. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus additional unnamed newcomers, not only encrypt on-line files but also infiltrate many accessible system protection mechanisms. Data replicated to the cloud can also be corrupted. In a poorly architected environment, it can make automatic recovery hopeless and effectively knocks the datacenter back to square one.
Getting back services and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain the damage and remove the crypto-ransomware and to restore enterprise-critical activity. Because crypto-ransomware takes time to spread, assaults are usually sprung during nights and weekends, when successful penetrations typically take longer to notice. This multiplies the difficulty of promptly marshalling and orchestrating a capable response team.
Progent offers a variety of support services for securing Allen enterprises from ransomware attacks. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security appliances with AI technology to automatically identify and quarantine zero-day cyber attacks. Progent in addition provides the assistance of expert ransomware recovery engineers with the skills and commitment to restore a breached environment as quickly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the needed codes to decipher any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The other path is to piece back together the key parts of your IT environment. Absent access to complete information backups, this calls for a wide complement of skill sets, top notch project management, and the ability to work 24x7 until the recovery project is finished.
For twenty years, Progent has offered professional Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience provides Progent the ability to quickly identify important systems and consolidate the surviving pieces of your network system after a ransomware attack and configure them into a functioning network.
Progent's security team has best of breed project management applications to orchestrate the sophisticated recovery process. Progent appreciates the importance of working swiftly and in concert with a client's management and IT staff to assign priority to tasks and to put key applications back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Response
A small business hired Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, possibly using strategies exposed from the U.S. NSA organization. Ryuk attacks specific companies with limited ability to sustain operational disruption and is one of the most profitable examples of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the intrusion and were encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately engaged Progent.
"I canít speak enough in regards to the help Progent gave us during the most stressful period of (our) businesses existence. We would have paid the Hackers except for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important servers back into operation in less than 1 week was beyond my wildest dreams. Each staff member I spoke to or communicated with at Progent was amazingly focused on getting my company operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly determine and prioritize the key elements that had to be addressed to make it possible to restart business functions:
To get going, Progent adhered to Anti-virus incident response industry best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of restoring Windows Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not work without Active Directory, and the client's financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for access to the information.
- Microsoft Active Directory
- Microsoft Exchange Server
- MRP System
Within 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with setup and storage recovery on essential applications. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Folder Files) on team workstations and laptops to recover mail information. A not too old offline backup of the customerís financials/ERP systems made them able to restore these essential services back on-line. Although major work needed to be completed to recover completely from the Ryuk damage, the most important systems were recovered quickly:
"For the most part, the assembly line operation was never shut down and we did not miss any customer shipments."
Over the following few weeks key milestones in the restoration process were made through tight collaboration between Progent team members and the client:
- Self-hosted web sites were returned to operation with no loss of information.
- The MailStore Server with over 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto 850 security appliance was set up and programmed.
- Nearly all of the desktop computers were back into operation.
"A huge amount of what went on that first week is nearly entirely a haze for me, but I will not forget the countless hours each of you put in to give us our business back. Iíve trusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This situation was a life saver."
A likely company-ending disaster was averted by hard-working experts, a wide array of knowledge, and tight teamwork. Although in post mortem the crypto-ransomware virus penetration detailed here would have been identified and disabled with advanced cyber security technology solutions and best practices, staff education, and appropriate security procedures for information backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), Iím grateful for allowing me to get some sleep after we made it over the initial push. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Allen
For ransomware cleanup consulting in the Allen area, call Progent at 800-462-8800 or see Contact Progent.