Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for organizations vulnerable to an attack. Different iterations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus daily as yet unnamed viruses, not only do encryption of online files but also infiltrate most accessible system backups. Information synched to cloud environments can also be encrypted. In a poorly designed data protection solution, this can render automatic restore operations useless and basically sets the network back to zero.
Getting back services and data following a ransomware attack becomes a race against time as the targeted organization struggles to contain and clear the virus and to restore business-critical operations. Because crypto-ransomware takes time to move laterally, penetrations are often sprung on weekends, when successful attacks may take longer to identify. This multiplies the difficulty of quickly mobilizing and coordinating a knowledgeable response team.
Progent provides a variety of support services for protecting Austin organizations from ransomware penetrations. These include team education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI technology to quickly detect and extinguish new cyber threats. Progent also provides the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a breached network as soon as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to decrypt any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The other path is to re-install the vital components of your IT environment. Absent access to essential data backups, this requires a wide complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is over.
For decades, Progent has provided certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand important systems and integrate the remaining parts of your Information Technology system following a ransomware event and configure them into an operational system.
Progent's recovery team utilizes best of breed project management applications to coordinate the complex recovery process. Progent understands the importance of working swiftly and together with a customerís management and IT team members to assign priority to tasks and to get critical systems back online as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, possibly using techniques exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little room for operational disruption and is among the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has about 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I canít tell you enough about the help Progent provided us during the most fearful time of (our) businesses life. We most likely would have paid the hackers behind this attack if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and important servers back on-line faster than five days was earth shattering. Every single consultant I interacted with or texted at Progent was totally committed on getting us restored and was working day and night to bail us out."
Progent worked hand in hand the client to rapidly assess and assign priority to the key services that had to be recovered in order to continue departmental functions:
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then began the process of restoring Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the customerís MRP applications utilized Microsoft SQL Server, which depends on Windows AD for access to the information.
- Windows Active Directory
- MRP System
Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops to recover email information. A recent offline backup of the customerís accounting/ERP software made them able to restore these essential programs back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk event, core systems were returned to operations quickly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer sales."
Over the following few weeks important milestones in the restoration process were accomplished in tight cooperation between Progent team members and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 firewall was brought online.
- Most of the desktop computers were being used by staff.
"A lot of what happened in the initial days is mostly a fog for me, but my team will not soon forget the urgency each of you put in to help get our company back. I have been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered as promised. This situation was a Herculean accomplishment."
A possible business extinction disaster was averted through the efforts of dedicated professionals, a broad spectrum of IT skills, and close teamwork. Although in post mortem the ransomware attack described here could have been identified and stopped with modern security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out incident response procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thanks very much for letting me get some sleep after we got through the most critical parts. All of you did an amazing job, and if any of your guys is in the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist