Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict destruction. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as more as yet unnamed viruses, not only do encryption of online information but also infect most accessible system backups. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can make automated restore operations hopeless and basically sets the entire system back to square one.
Getting back on-line programs and information following a ransomware attack becomes a sprint against time as the targeted business fights to contain the damage and remove the virus and to restore mission-critical operations. Since ransomware needs time to replicate, attacks are often launched on weekends, when attacks tend to take more time to detect. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.
Progent offers an assortment of solutions for protecting Lower Manhattan enterprises from ransomware events. Among these are team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI technology to automatically identify and disable zero-day threats. Progent also offers the services of expert ransomware recovery engineers with the track record and perseverance to reconstruct a breached network as quickly as possible.
Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed keys to decrypt any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent access to essential data backups, this requires a wide range of skill sets, top notch team management, and the willingness to work 24x7 until the task is completed.
For twenty years, Progent has offered certified expert IT services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience provides Progent the ability to quickly ascertain critical systems and consolidate the remaining pieces of your IT system after a ransomware event and rebuild them into an operational system.
Progent's security team of experts deploys powerful project management tools to orchestrate the complex recovery process. Progent understands the importance of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get essential applications back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Intrusion Response
A business engaged Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly using technology exposed from the United States NSA organization. Ryuk targets specific companies with little tolerance for operational disruption and is one of the most lucrative examples of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago with around 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200K) and hoping for the best, but in the end called Progent.
"I cannot speak enough in regards to the support Progent provided us during the most stressful period of (our) companyís life. We would have paid the cybercriminals if it wasnít for the confidence the Progent experts afforded us. That you could get our e-mail system and critical applications back online quicker than five days was amazing. Every single expert I talked with or e-mailed at Progent was totally committed on getting my company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly identify and prioritize the essential elements that needed to be recovered in order to restart company operations:
To get going, Progent adhered to AV/Malware Processes incident response best practices by halting lateral movement and clearing infected systems. Progent then began the process of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the customerís MRP software used SQL Server, which depends on Windows AD for access to the databases.
- Windows Active Directory
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then performed setup and storage recovery of key systems. All Exchange ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Email Offline Data Files) on user workstations to recover mail messages. A not too old off-line backup of the businesses manufacturing systems made it possible to restore these essential programs back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, the most important services were recovered quickly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
Over the following month important milestones in the restoration project were completed in tight collaboration between Progent team members and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Server exceeding 4 million archived emails was brought online and available for users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were completely operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Most of the desktops and laptops were being used by staff.
"A huge amount of what went on in the initial days is nearly entirely a fog for me, but our team will not forget the urgency all of your team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered as promised. This event was a testament to your capabilities."
A potential business catastrophe was dodged due to results-oriented experts, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus penetration detailed here could have been identified and disabled with current cyber security systems and security best practices, staff training, and well designed incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get some sleep after we got over the most critical parts. All of you did an impressive job, and if any of your team is around the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Lower Manhattan
For ransomware cleanup consulting services in the Lower Manhattan area, phone Progent at 800-462-8800 or see Contact Progent.