Ransomware : Your Worst IT Disaster
Crypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict damage. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional unnamed newcomers, not only do encryption of online data but also infect many configured system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render any restoration impossible and basically knocks the entire system back to square one.
Getting back online applications and information after a crypto-ransomware outage becomes a race against the clock as the victim fights to stop lateral movement and eradicate the crypto-ransomware and to restore business-critical activity. Since ransomware requires time to spread, attacks are usually launched during weekends and nights, when successful penetrations are likely to take more time to discover. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent provides a range of help services for securing Liverpool businesses from crypto-ransomware penetrations. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to detect and quarantine zero-day malware assaults. Progent also provides the assistance of seasoned ransomware recovery professionals with the track record and perseverance to re-deploy a breached environment as rapidly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that distant criminals will provide the needed keys to decrypt any of your data. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without access to full data backups, this calls for a broad complement of skills, well-coordinated team management, and the ability to work non-stop until the job is finished.
For decades, Progent has provided professional Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the ability to efficiently understand necessary systems and re-organize the remaining pieces of your IT environment following a crypto-ransomware event and rebuild them into a functioning system.
Progent's ransomware group utilizes state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put essential applications back on line as fast as humanly possible.
Client Story: A Successful Ransomware Intrusion Response
A client escalated to Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly using approaches exposed from the United States National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative examples of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has around 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.
"I can't thank you enough in regards to the help Progent gave us throughout the most fearful time of (our) company's survival. We had little choice but to pay the Hackers if not for the confidence the Progent experts afforded us. That you were able to get our messaging and important applications back into operation quicker than seven days was incredible. Each consultant I interacted with or e-mailed at Progent was totally committed on getting us restored and was working breakneck pace to bail us out."
Progent worked hand in hand the client to rapidly determine and assign priority to the most important elements that had to be restored to make it possible to continue business operations:
To start, Progent followed ransomware penetration response best practices by stopping lateral movement and disinfecting systems. Progent then started the process of rebuilding Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange email will not function without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory for access to the information.
- Microsoft Active Directory
- Electronic Messaging
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then completed reinstallations and storage recovery of critical servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Offline Folder Files) on staff workstations to recover email messages. A recent offline backup of the customer's accounting/MRP systems made them able to restore these vital applications back online. Although major work still had to be done to recover fully from the Ryuk attack, essential systems were recovered quickly:
"For the most part, the production line operation was never shut down and we produced all customer orders."
Over the next month critical milestones in the recovery project were accomplished in tight collaboration between Progent team members and the client:
- Internal web sites were restored without losing any data.
- The MailStore Exchange Server with over four million historical messages was brought online and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were 100% functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the user desktops were fully operational.
"A lot of what happened during the initial response is nearly entirely a fog for me, but we will not soon forget the commitment each and every one of you put in to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
A possible company-ending catastrophe was dodged due to results-oriented professionals, a broad range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here should have been identified and blocked with current cyber security technology and security best practices, staff training, and properly executed incident response procedures for data backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get some sleep after we made it through the initial push. Everyone did an incredible job, and if anyone that helped is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Liverpool
For ransomware cleanup expertise in the Liverpool metro area, phone Progent at 800-462-8800 or visit Contact Progent.