Ransomware : Your Crippling IT Catastrophe
Ransomware has become an escalating cyberplague that poses an existential threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still cause havoc. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Egregor, plus frequent as yet unnamed newcomers, not only do encryption of online critical data but also infect all available system backup. Files synched to the cloud can also be rendered useless. In a poorly designed data protection solution, this can make any restore operations useless and effectively sets the datacenter back to zero.
Getting back services and data after a crypto-ransomware attack becomes a sprint against the clock as the targeted business fights to contain and remove the crypto-ransomware and to restore enterprise-critical activity. Since ransomware needs time to spread, attacks are frequently sprung during nights and weekends, when successful penetrations may take more time to recognize. This multiplies the difficulty of quickly mobilizing and coordinating an experienced response team.
Progent offers a range of help services for protecting Madison businesses from crypto-ransomware penetrations. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence technology to rapidly identify and extinguish zero-day cyber threats. Progent in addition can provide the services of expert crypto-ransomware recovery professionals with the talent and perseverance to restore a breached network as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed keys to decrypt any of your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to re-install the key parts of your Information Technology environment. Absent the availability of complete information backups, this requires a wide range of skills, professional project management, and the capability to work continuously until the job is finished.
For decades, Progent has offered professional Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the skills to quickly identify important systems and consolidate the remaining parts of your computer network system following a crypto-ransomware attack and rebuild them into a functioning system.
Progent's ransomware team of experts utilizes state-of-the-art project management applications to coordinate the complicated restoration process. Progent understands the urgency of working swiftly and together with a customerís management and IT team members to assign priority to tasks and to get the most important services back on line as fast as possible.
Business Case Study: A Successful Ransomware Intrusion Response
A small business engaged Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is one of the most lucrative examples of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's data backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end reached out to Progent.
"I canít say enough about the care Progent provided us throughout the most critical time of (our) companyís life. We had little choice but to pay the cyber criminals except for the confidence the Progent team provided us. That you were able to get our messaging and important applications back on-line quicker than five days was incredible. Each expert I interacted with or communicated with at Progent was absolutely committed on getting us restored and was working 24/7 on our behalf."
Progent worked together with the client to quickly determine and prioritize the mission critical systems that had to be restored to make it possible to continue departmental functions:
To start, Progent followed ransomware event mitigation industry best practices by isolating and disinfecting systems. Progent then began the process of restoring Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without Active Directory, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for access to the database.
- Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then initiated setup and storage recovery of the most important servers. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail messages. A recent off-line backup of the customerís accounting software made it possible to restore these essential programs back servicing users. Although a large amount of work still had to be done to recover totally from the Ryuk event, core systems were restored quickly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer sales."
Throughout the following few weeks important milestones in the recovery project were completed in close collaboration between Progent consultants and the customer:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Exchange Server with over four million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent functional.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user PCs were functioning as before the incident.
"Much of what went on that first week is mostly a haze for me, but my management will not soon forget the commitment all of the team accomplished to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was a Herculean accomplishment."
A potential business-ending disaster was averted by results-oriented professionals, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware incident detailed here would have been identified and disabled with advanced cyber security technology and best practices, team training, and appropriate incident response procedures for data backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get some sleep after we made it past the initial push. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist