Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses unprepared for an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus more as yet unnamed malware, not only do encryption of on-line data files but also infect any configured system restores and backups. Data synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can make any recovery hopeless and basically sets the entire system back to square one.
Retrieving applications and information after a crypto-ransomware outage becomes a race against time as the targeted organization fights to contain the damage and eradicate the ransomware and to resume mission-critical operations. Since crypto-ransomware requires time to spread, penetrations are often launched on weekends and holidays, when successful attacks typically take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.
Progent has a range of support services for securing Allen enterprises from crypto-ransomware events. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to discover and extinguish zero-day malware attacks. Progent in addition provides the assistance of seasoned ransomware recovery consultants with the skills and commitment to re-deploy a compromised environment as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The other path is to setup from scratch the essential elements of your Information Technology environment. Without access to full information backups, this requires a wide range of skill sets, well-coordinated project management, and the capability to work 24x7 until the task is over.
For twenty years, Progent has made available expert Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably ascertain necessary systems and organize the remaining components of your IT system after a ransomware attack and rebuild them into an operational network.
Progent's ransomware team of experts deploys best of breed project management tools to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working swiftly and together with a client's management and IT staff to assign priority to tasks and to get the most important systems back on line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A small business engaged Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, possibly adopting approaches exposed from America's National Security Agency. Ryuk attacks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative instances of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of $200,000) and hoping for good luck, but in the end called Progent.
"I cannot say enough about the help Progent provided us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key applications back into operation in less than a week was something I thought impossible. Each expert I worked with or communicated with at Progent was amazingly focused on getting us back online and was working non-stop to bail us out."
Progent worked with the customer to quickly assess and prioritize the essential areas that had to be addressed to make it possible to resume business operations:
To begin, Progent followed Anti-virus event mitigation best practices by halting the spread and removing active viruses. Progent then began the steps of rebuilding Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the client's MRP system used SQL Server, which requires Active Directory services for security authorization to the database.
- Windows Active Directory
In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery on mission critical servers. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops in order to recover mail data. A recent offline backup of the customer's financials/MRP systems made them able to restore these vital applications back online for users. Although significant work remained to recover completely from the Ryuk event, critical services were recovered quickly:
"For the most part, the manufacturing operation never missed a beat and we produced all customer shipments."
During the following couple of weeks critical milestones in the recovery process were made through tight collaboration between Progent engineers and the client:
- Internal web applications were brought back up without losing any information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the desktop computers were being used by staff.
"A lot of what occurred in the initial days is nearly entirely a blur for me, but my management will not forget the urgency each of you put in to give us our business back. I've trusted Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."
A probable business-ending disaster was dodged through the efforts of top-tier professionals, a wide range of knowledge, and tight collaboration. Although in post mortem the ransomware virus attack detailed here would have been identified and disabled with modern cyber security technology solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has substantial experience in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we got through the initial push. Everyone did an amazing job, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Allen
For ransomware recovery expertise in the Allen metro area, call Progent at 800-462-8800 or go to Contact Progent.