Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware has become a too-frequent cyberplague that represents an existential danger for businesses unprepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus daily as yet unnamed malware, not only encrypt online files but also infiltrate any accessible system protection mechanisms. Data replicated to the cloud can also be encrypted. In a poorly designed environment, it can render any recovery hopeless and effectively knocks the network back to square one.
Getting back on-line programs and information after a ransomware event becomes a sprint against the clock as the targeted organization tries its best to contain the damage and eradicate the crypto-ransomware and to resume business-critical activity. Since crypto-ransomware takes time to replicate, penetrations are frequently launched during nights and weekends, when penetrations tend to take longer to uncover. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent provides a variety of support services for securing Valencia businesses from crypto-ransomware events. Among these are team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat protection to discover and disable zero-day modern malware attacks. Progent also can provide the services of veteran ransomware recovery engineers with the skills and commitment to restore a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a ransomware event, paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the keys to unencrypt any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The fallback is to piece back together the vital parts of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skills, professional team management, and the willingness to work non-stop until the task is complete.
For decades, Progent has made available professional Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise gives Progent the capability to rapidly determine necessary systems and re-organize the remaining parts of your computer network environment after a ransomware penetration and configure them into an operational system.
Progent's ransomware group uses state-of-the-art project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put critical systems back online as fast as possible.
Client Case Study: A Successful Ransomware Attack Response
A business contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored hackers, possibly adopting technology leaked from the U.S. National Security Agency. Ryuk targets specific organizations with little or no room for operational disruption and is one of the most lucrative versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the expertise Progent gave us during the most stressful period of (our) businesses life. We would have paid the cybercriminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and key applications back on-line faster than five days was something I thought impossible. Each staff member I interacted with or texted at Progent was amazingly focused on getting us working again and was working day and night on our behalf."
Progent worked together with the customer to rapidly get our arms around and prioritize the key services that needed to be addressed to make it possible to restart departmental functions:
To start, Progent followed Anti-virus incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the work of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the customer's MRP system used Microsoft SQL Server, which requires Active Directory services for security authorization to the information.
- Active Directory
- Exchange Server
Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery on needed servers. All Microsoft Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team PCs in order to recover mail data. A recent offline backup of the businesses accounting/ERP software made it possible to recover these essential applications back on-line. Although major work needed to be completed to recover completely from the Ryuk event, critical systems were returned to operations rapidly:
"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer deliverables."
During the following couple of weeks key milestones in the recovery project were accomplished in tight cooperation between Progent team members and the client:
- Internal web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was spun up and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were completely recovered.
- A new Palo Alto 850 security appliance was brought online.
- Ninety percent of the user PCs were fully operational.
"So much of what was accomplished in the initial days is nearly entirely a fog for me, but I will not forget the commitment all of you accomplished to help get our company back. I've trusted Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a Herculean accomplishment."
A probable business-killing catastrophe was dodged by top-tier experts, a wide spectrum of subject matter expertise, and close teamwork. Although in post mortem the ransomware incident described here would have been identified and stopped with advanced security technology solutions and ISO/IEC 27001 best practices, staff training, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for making it so I could get some sleep after we made it past the first week. All of you did an impressive effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Valencia
For ransomware system restoration consulting in the Valencia area, call Progent at 800-462-8800 or visit Contact Progent.