Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that represents an existential threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as daily as yet unnamed viruses, not only encrypt online information but also infiltrate most accessible system backup. Information synchronized to the cloud can also be rendered useless. In a vulnerable environment, this can render automatic restore operations useless and basically knocks the network back to square one.
Restoring services and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted business fights to stop the spread and eradicate the ransomware and to resume mission-critical operations. Because ransomware requires time to replicate, penetrations are usually launched on weekends and holidays, when successful attacks are likely to take more time to discover. This multiplies the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.
Progent provides an assortment of help services for protecting Waltham businesses from ransomware attacks. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with AI capabilities to intelligently identify and extinguish zero-day cyber threats. Progent also offers the assistance of experienced crypto-ransomware recovery professionals with the skills and commitment to restore a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the keys to decipher any of your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the key elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of IT skills, top notch project management, and the willingness to work non-stop until the job is finished.
For decades, Progent has provided professional IT services for companies throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to knowledgably determine important systems and integrate the remaining parts of your network system following a crypto-ransomware event and configure them into an operational network.
Progent's recovery team deploys best of breed project management tools to orchestrate the complicated recovery process. Progent understands the urgency of acting swiftly and in concert with a customerís management and IT staff to assign priority to tasks and to put essential services back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Attack Restoration
A customer contacted Progent after their network system was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, suspected of using strategies leaked from Americaís National Security Agency. Ryuk seeks specific companies with little or no room for disruption and is among the most lucrative iterations of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for the best, but in the end utilized Progent.
"I cannot say enough about the expertise Progent provided us during the most stressful time of (our) businesses existence. We most likely would have paid the cyber criminals if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and critical servers back on-line quicker than seven days was something I thought impossible. Each expert I got help from or messaged at Progent was absolutely committed on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly identify and prioritize the key services that had to be restored in order to restart departmental operations:
To get going, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then began the task of bringing back online Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís accounting and MRP applications utilized SQL Server, which needs Windows AD for access to the database.
- Active Directory (AD)
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery of critical systems. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Offline Folder Files) on staff PCs and laptops to recover email information. A recent offline backup of the customerís accounting software made them able to recover these required services back servicing users. Although significant work remained to recover completely from the Ryuk virus, essential services were returned to operations rapidly:
"For the most part, the production operation never missed a beat and we made all customer deliverables."
Throughout the next month important milestones in the recovery project were achieved through tight collaboration between Progent engineers and the client:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Server with over 4 million historical emails was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/AR/Inventory capabilities were completely operational.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user workstations were being used by staff.
"Much of what happened those first few days is nearly entirely a blur for me, but we will not soon forget the urgency each and every one of you put in to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This event was a testament to your capabilities."
A potential business-ending catastrophe was dodged with top-tier professionals, a broad range of IT skills, and tight teamwork. Although in retrospect the ransomware penetration described here should have been blocked with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well designed security procedures for backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for making it so I could get some sleep after we made it past the initial push. Everyone did an amazing job, and if anyone that helped is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Waltham
For ransomware recovery expertise in the Waltham metro area, call Progent at 800-462-8800 or go to Contact Progent.