Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of on-line information but also infiltrate any accessible system protection. Data synched to the cloud can also be encrypted. In a poorly designed environment, it can render automatic recovery impossible and effectively knocks the datacenter back to zero.
Restoring programs and data following a crypto-ransomware event becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and remove the ransomware and to restore enterprise-critical activity. Because crypto-ransomware needs time to move laterally, assaults are usually launched on weekends and holidays, when attacks in many cases take longer to discover. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent has an assortment of services for securing Madison enterprises from ransomware events. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with machine learning capabilities to rapidly identify and disable new threats. Progent in addition offers the services of veteran ransomware recovery professionals with the track record and perseverance to rebuild a breached environment as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Following a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decipher any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The fallback is to piece back together the critical elements of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide range of skill sets, well-coordinated team management, and the willingness to work non-stop until the job is complete.
For twenty years, Progent has made available professional Information Technology services for companies across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of experience affords Progent the skills to efficiently understand necessary systems and integrate the surviving pieces of your IT environment after a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team of experts deploys state-of-the-art project management systems to coordinate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a customerís management and IT resources to prioritize tasks and to put essential applications back online as soon as possible.
Customer Case Study: A Successful Ransomware Penetration Recovery
A business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, suspected of adopting approaches leaked from the United States NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is among the most profitable examples of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has around 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately utilized Progent.
"I canít tell you enough in regards to the care Progent gave us during the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent team gave us. That you could get our messaging and essential applications back online faster than five days was amazing. Every single staff member I interacted with or messaged at Progent was urgently focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to quickly understand and prioritize the most important services that needed to be addressed in order to restart departmental functions:
To start, Progent adhered to ransomware event mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then started the work of recovering Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí accounting and MRP applications utilized Microsoft SQL, which requires Windows AD for authentication to the data.
- Microsoft Active Directory
- Microsoft Exchange Email
- MRP System
In less than 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery on key applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Off-Line Folder Files) on team workstations and laptops to recover mail messages. A not too old off-line backup of the client's financials/ERP systems made it possible to restore these required applications back online for users. Although a large amount of work remained to recover fully from the Ryuk attack, critical services were restored quickly:
"For the most part, the production line operation did not miss a beat and we made all customer deliverables."
Over the following month key milestones in the restoration process were completed through close cooperation between Progent engineers and the client:
- Internal web applications were returned to operation without losing any data.
- The MailStore Server with over 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100% functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the user desktops were back into operation.
"So much of what was accomplished that first week is mostly a fog for me, but my team will not forget the dedication each of you put in to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was a Herculean accomplishment."
A likely company-ending catastrophe was averted due to dedicated experts, a broad spectrum of technical expertise, and close collaboration. Although in post mortem the ransomware virus incident described here could have been identified and stopped with up-to-date cyber security technology solutions and best practices, staff education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for making it so I could get rested after we made it through the initial push. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Madison
For ransomware recovery consulting in the Madison metro area, phone Progent at 800-462-8800 or go to Contact Progent.