Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyberplague that presents an existential danger for organizations vulnerable to an assault. Versions of crypto-ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus additional as yet unnamed viruses, not only encrypt on-line critical data but also infiltrate all configured system backups. Files replicated to the cloud can also be ransomed. In a poorly designed environment, this can make automated restoration hopeless and basically sets the datacenter back to square one.
Getting back online applications and data after a crypto-ransomware attack becomes a race against the clock as the targeted business struggles to stop the spread and clear the crypto-ransomware and to restore business-critical activity. Since ransomware takes time to spread, attacks are often sprung at night, when successful penetrations typically take longer to discover. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent offers a range of help services for securing Waltham enterprises from ransomware attacks. Among these are staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI capabilities to rapidly detect and quarantine new threats. Progent also can provide the assistance of seasoned ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as soon as possible.
Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to setup from scratch the mission-critical elements of your Information Technology environment. Absent access to full data backups, this calls for a wide complement of skill sets, professional team management, and the ability to work 24x7 until the recovery project is finished.
For two decades, Progent has provided professional Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise affords Progent the skills to quickly identify important systems and organize the surviving components of your computer network system after a crypto-ransomware attack and configure them into an operational system.
Progent's security team utilizes top notch project management applications to coordinate the complicated restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and IT staff to assign priority to tasks and to get critical systems back online as soon as possible.
Customer Case Study: A Successful Ransomware Incident Recovery
A customer contacted Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state hackers, possibly using algorithms leaked from the United States National Security Agency. Ryuk attacks specific organizations with little ability to sustain disruption and is one of the most lucrative versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with about 500 employees. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I cannot say enough in regards to the support Progent provided us throughout the most fearful period of (our) companyís survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and critical servers back into operation in less than five days was earth shattering. Every single staff member I got help from or messaged at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."
Progent worked together with the customer to rapidly identify and prioritize the essential applications that had to be recovered to make it possible to continue company operations:
To begin, Progent followed ransomware incident response best practices by halting the spread and performing virus removal steps. Progent then initiated the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's accounting and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the databases.
- Microsoft Active Directory
- Exchange Server
- MRP System
In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery on key systems. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on team workstations and laptops in order to recover mail messages. A not too old off-line backup of the client's financials/MRP software made it possible to recover these vital applications back servicing users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the assembly line operation survived unscathed and we produced all customer orders."
Over the following couple of weeks important milestones in the restoration project were accomplished through tight cooperation between Progent consultants and the customer:
- Internal web applications were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived messages was restored to operations and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were completely restored.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the desktops and laptops were being used by staff.
"Much of what was accomplished that first week is mostly a blur for me, but our team will not soon forget the care each and every one of the team accomplished to help get our business back. Iíve been working with Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was a Herculean accomplishment."
A probable business-killing catastrophe was averted with results-oriented professionals, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware attack described here should have been shut down with advanced cyber security systems and NIST Cybersecurity Framework best practices, user training, and well designed security procedures for information protection and applying software patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get some sleep after we made it through the most critical parts. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist