Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses unprepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with frequent unnamed malware, not only encrypt online information but also infect all available system protection. Information synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make automated recovery impossible and basically knocks the network back to zero.
Recovering services and information following a ransomware attack becomes a race against time as the victim struggles to stop lateral movement and clear the ransomware and to restore mission-critical operations. Since ransomware takes time to move laterally, penetrations are frequently launched on weekends, when successful attacks tend to take more time to recognize. This compounds the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.
Progent has a range of solutions for securing Tukwila organizations from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with machine learning capabilities to intelligently discover and suppress new cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as quickly as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to setup from scratch the vital components of your Information Technology environment. Without access to essential system backups, this requires a wide complement of IT skills, top notch project management, and the ability to work continuously until the recovery project is completed.
For decades, Progent has offered professional Information Technology services for companies across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to efficiently identify critical systems and consolidate the remaining parts of your network system following a crypto-ransomware penetration and assemble them into a functioning network.
Progent's recovery team utilizes top notch project management tools to coordinate the complex restoration process. Progent appreciates the importance of acting swiftly and in unison with a client's management and IT team members to assign priority to tasks and to put the most important services back on-line as soon as possible.
Case Study: A Successful Ransomware Intrusion Restoration
A customer escalated to Progent after their network was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored cybercriminals, possibly using techniques exposed from the United States NSA organization. Ryuk seeks specific businesses with little tolerance for operational disruption and is among the most profitable incarnations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has about 500 employees. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and praying for the best, but ultimately utilized Progent.
"I cannot speak enough in regards to the care Progent provided us during the most fearful time of (our) companyís life. We had little choice but to pay the cyber criminals if not for the confidence the Progent group afforded us. That you were able to get our messaging and essential applications back online in less than seven days was incredible. Every single expert I interacted with or messaged at Progent was laser focused on getting our company operational and was working 24 by 7 to bail us out."
Progent worked hand in hand the customer to quickly assess and assign priority to the mission critical systems that had to be recovered in order to restart company operations:
To begin, Progent followed Anti-virus penetration response best practices by halting lateral movement and performing virus removal steps. Progent then initiated the work of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customerís financials and MRP software used Microsoft SQL, which needs Active Directory for security authorization to the database.
- Windows Active Directory
- Exchange Server
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery on mission critical applications. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops in order to recover email information. A not too old off-line backup of the customerís financials/ERP software made them able to recover these essential services back online for users. Although a lot of work was left to recover completely from the Ryuk damage, critical services were restored quickly:
"For the most part, the assembly line operation survived unscathed and we made all customer orders."
Over the next month key milestones in the recovery process were achieved in close cooperation between Progent consultants and the customer:
- Internal web applications were returned to operation without losing any information.
- The MailStore Exchange Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were fully recovered.
- A new Palo Alto 850 security appliance was deployed.
- 90% of the user PCs were fully operational.
"A lot of what went on in the early hours is mostly a fog for me, but we will not soon forget the countless hours each and every one of your team accomplished to give us our business back. Iíve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
A possible company-ending catastrophe was averted due to hard-working professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in hindsight the ransomware incident detailed here would have been prevented with advanced cyber security technology solutions and ISO/IEC 27001 best practices, staff education, and well designed security procedures for backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get rested after we got through the initial fire. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist