Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause havoc. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with more as yet unnamed newcomers, not only do encryption of on-line data but also infect all available system protection. Data synched to the cloud can also be corrupted. In a poorly architected system, it can render automatic restore operations impossible and effectively knocks the datacenter back to zero.
Recovering programs and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to stop lateral movement and remove the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware needs time to replicate, assaults are usually sprung at night, when penetrations in many cases take longer to discover. This multiplies the difficulty of promptly marshalling and orchestrating a qualified response team.
Progent makes available an assortment of support services for protecting Allen businesses from ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities to quickly detect and disable zero-day threats. Progent also provides the assistance of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as soon as possible.
Progent's Ransomware Recovery Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to decipher any of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the vital elements of your IT environment. Absent the availability of complete information backups, this calls for a broad complement of skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is over.
For twenty years, Progent has offered certified expert IT services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the ability to efficiently ascertain critical systems and integrate the remaining components of your network environment following a ransomware penetration and assemble them into a functioning system.
Progent's ransomware group has best of breed project management systems to coordinate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put critical services back online as fast as possible.
Customer Story: A Successful Ransomware Intrusion Response
A customer engaged Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, suspected of adopting approaches leaked from the United States NSA organization. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is among the most profitable instances of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with about 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the start of the intrusion and were destroyed. The client was evaluating paying the ransom (more than $200,000) and praying for the best, but ultimately engaged Progent.
"I canít say enough in regards to the support Progent gave us during the most fearful period of (our) companyís survival. We most likely would have paid the criminal gangs if not for the confidence the Progent experts provided us. That you could get our messaging and essential applications back into operation in less than one week was incredible. Every single expert I worked with or communicated with at Progent was absolutely committed on getting us back online and was working at all hours to bail us out."
Progent worked with the customer to quickly understand and prioritize the key elements that had to be restored to make it possible to continue departmental functions:
To get going, Progent adhered to ransomware incident mitigation industry best practices by isolating and performing virus removal steps. Progent then began the task of recovering Active Directory, the core of enterprise networks built on Microsoft technology. Exchange email will not work without Windows AD, and the client's accounting and MRP system utilized SQL Server, which depends on Active Directory services for authentication to the database.
- Active Directory
- Microsoft Exchange Server
- MRP System
Within two days, Progent was able to re-build Active Directory to its pre-virus state. Progent then completed rebuilding and storage recovery of needed systems. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the customerís financials/ERP software made it possible to return these vital services back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, critical services were restored quickly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."
Throughout the next month key milestones in the recovery project were accomplished through tight cooperation between Progent team members and the customer:
- In-house web applications were brought back up with no loss of information.
- The MailStore Server with over 4 million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory functions were completely recovered.
- A new Palo Alto 850 firewall was installed and configured.
- Nearly all of the user PCs were being used by staff.
"Much of what happened those first few days is mostly a fog for me, but my management will not forget the countless hours each of you accomplished to give us our company back. Iíve utilized Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This event was a testament to your capabilities."
A potential enterprise-killing catastrophe was avoided by dedicated professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident described here would have been shut down with up-to-date security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed security procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we made it past the initial fire. Everyone did an incredible job, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist