Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses vulnerable to an attack. Different iterations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still cause damage. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as more as yet unnamed malware, not only encrypt on-line data files but also infect many available system protection. Data replicated to cloud environments can also be corrupted. In a vulnerable data protection solution, this can make any restoration useless and basically sets the datacenter back to zero.
Getting back services and information after a ransomware event becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and eradicate the ransomware and to restore business-critical activity. Since ransomware takes time to replicate, attacks are frequently launched during weekends and nights, when successful penetrations typically take longer to recognize. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable response team.
Progent offers an assortment of solutions for protecting Boise organizations from crypto-ransomware events. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities to rapidly identify and suppress day-zero cyber attacks. Progent also offers the assistance of experienced ransomware recovery engineers with the skills and commitment to reconstruct a breached network as quickly as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not ensure that cyber hackers will provide the codes to decipher any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The alternative is to setup from scratch the critical components of your IT environment. Without the availability of full system backups, this calls for a wide range of IT skills, professional team management, and the ability to work non-stop until the task is done.
For twenty years, Progent has offered professional IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience gives Progent the ability to efficiently determine necessary systems and organize the surviving parts of your network environment after a ransomware event and rebuild them into a functioning system.
Progent's security team of experts has powerful project management applications to coordinate the complex restoration process. Progent appreciates the importance of acting swiftly and in unison with a client's management and Information Technology staff to assign priority to tasks and to put the most important services back online as fast as possible.
Customer Story: A Successful Ransomware Virus Restoration
A business contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state criminal gangs, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but in the end utilized Progent.
"I cannot thank you enough in regards to the care Progent provided us throughout the most fearful period of (our) companyís survival. We had little choice but to pay the Hackers if not for the confidence the Progent group provided us. The fact that you could get our e-mail and critical applications back into operation sooner than 1 week was beyond my wildest dreams. Each staff member I worked with or communicated with at Progent was laser focused on getting us operational and was working day and night to bail us out."
Progent worked hand in hand the client to quickly get our arms around and prioritize the most important services that had to be addressed in order to continue departmental functions:
To begin, Progent adhered to ransomware event response best practices by stopping lateral movement and removing active viruses. Progent then started the task of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí financials and MRP applications used Microsoft SQL Server, which requires Windows AD for security authorization to the data.
- Microsoft Active Directory
- Microsoft Exchange Server
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and storage recovery of key systems. All Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Data Files) on user PCs in order to recover mail information. A recent off-line backup of the businesses financials/ERP software made it possible to restore these essential programs back on-line. Although major work remained to recover totally from the Ryuk event, essential systems were recovered rapidly:
"For the most part, the production operation showed little impact and we made all customer shipments."
Throughout the next month critical milestones in the restoration project were achieved through close collaboration between Progent consultants and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Exchange Server exceeding four million historical messages was brought online and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory capabilities were fully functional.
- A new Palo Alto 850 security appliance was set up and programmed.
- Most of the desktop computers were functioning as before the incident.
"A huge amount of what was accomplished in the initial days is nearly entirely a fog for me, but I will not soon forget the countless hours each and every one of your team accomplished to help get our company back. Iíve been working with Progent for the past 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."
A probable business disaster was evaded due to dedicated professionals, a wide array of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware incident detailed here should have been identified and blocked with advanced cyber security solutions and recognized best practices, user education, and appropriate incident response procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we got past the initial push. All of you did an fabulous effort, and if anyone is around the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Boise
For ransomware cleanup expertise in the Boise metro area, phone Progent at 800-462-8800 or see Contact Progent.