Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become a modern cyberplague that represents an extinction-level danger for businesses vulnerable to an assault. Different versions of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to cause havoc. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, along with frequent unnamed viruses, not only encrypt on-line data but also infect most available system backup. Data synched to cloud environments can also be corrupted. In a poorly architected environment, it can render any restore operations useless and basically sets the network back to zero.
Getting back online programs and data following a ransomware attack becomes a race against the clock as the targeted business fights to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware requires time to spread, penetrations are usually launched on weekends and holidays, when penetrations typically take more time to discover. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.
Progent offers a range of solutions for protecting Madison organizations from crypto-ransomware penetrations. Among these are team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence capabilities to intelligently discover and quarantine day-zero threats. Progent also offers the services of seasoned crypto-ransomware recovery professionals with the track record and commitment to rebuild a breached system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decrypt any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to piece back together the essential elements of your Information Technology environment. Without access to full data backups, this requires a broad range of skill sets, professional project management, and the capability to work non-stop until the recovery project is completed.
For twenty years, Progent has made available expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to quickly ascertain necessary systems and organize the remaining parts of your Information Technology system after a ransomware event and configure them into an operational network.
Progent's recovery group has top notch project management systems to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT staff to prioritize tasks and to get critical systems back online as fast as humanly possible.
Client Case Study: A Successful Ransomware Incident Response
A client escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state cybercriminals, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is among the most profitable versions of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 workers. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and praying for the best, but in the end made the decision to use Progent.
"I cannot say enough about the care Progent provided us throughout the most critical time of (our) companyís life. We most likely would have paid the criminal gangs if not for the confidence the Progent group afforded us. The fact that you could get our messaging and important applications back on-line sooner than seven days was beyond my wildest dreams. Each person I talked with or texted at Progent was absolutely committed on getting my company operational and was working breakneck pace to bail us out."
Progent worked with the customer to quickly get our arms around and assign priority to the key applications that had to be recovered in order to restart company operations:
To get going, Progent followed ransomware penetration response industry best practices by stopping the spread and performing virus removal steps. Progent then started the steps of restoring Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí MRP software leveraged Microsoft SQL, which requires Active Directory for authentication to the database.
- Windows Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of needed applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Offline Folder Files) on staff workstations to recover mail messages. A not too old off-line backup of the businesses manufacturing systems made it possible to return these essential services back on-line. Although major work needed to be completed to recover completely from the Ryuk attack, essential services were returned to operations quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."
Over the following month important milestones in the restoration project were completed through close cooperation between Progent engineers and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory Control functions were 100% functional.
- A new Palo Alto 850 security appliance was set up and programmed.
- Most of the desktops and laptops were being used by staff.
"A huge amount of what occurred that first week is mostly a haze for me, but I will not forget the urgency all of your team put in to help get our business back. Iíve been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A potential business catastrophe was dodged with hard-working experts, a broad range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack detailed here could have been stopped with advanced cyber security systems and NIST Cybersecurity Framework best practices, team training, and properly executed security procedures for backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got through the initial push. Everyone did an incredible effort, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist