Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an existential threat for organizations poorly prepared for an attack. Multiple generations of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus additional as yet unnamed newcomers, not only do encryption of on-line data but also infiltrate all accessible system protection. Information synched to cloud environments can also be rendered useless. In a poorly architected system, this can render automatic restore operations hopeless and effectively knocks the network back to square one.
Getting back online services and data after a ransomware event becomes a race against the clock as the targeted business struggles to stop the spread and eradicate the ransomware and to resume business-critical operations. Due to the fact that ransomware needs time to replicate, attacks are usually launched on weekends and holidays, when successful penetrations in many cases take longer to identify. This compounds the difficulty of quickly assembling and coordinating a capable mitigation team.
Progent provides a variety of solutions for securing Lower Manhattan enterprises from crypto-ransomware penetrations. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with AI technology to automatically discover and suppress day-zero threats. Progent also provides the services of seasoned ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The alternative is to setup from scratch the critical elements of your IT environment. Without the availability of complete information backups, this requires a broad range of skill sets, top notch team management, and the capability to work non-stop until the job is complete.
For decades, Progent has made available professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise gives Progent the capability to rapidly identify necessary systems and re-organize the surviving pieces of your Information Technology system following a crypto-ransomware attack and assemble them into an operational network.
Progent's security team deploys best of breed project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting quickly and in unison with a client's management and IT resources to assign priority to tasks and to get critical systems back online as soon as possible.
Client Story: A Successful Ransomware Virus Response
A client engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, possibly adopting technology leaked from Americaís NSA organization. Ryuk targets specific companies with little room for disruption and is among the most lucrative incarnations of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (in excess of $200K) and hoping for the best, but ultimately brought in Progent.
"I cannot thank you enough in regards to the care Progent gave us throughout the most fearful period of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent experts provided us. That you were able to get our e-mail system and critical servers back on-line quicker than one week was incredible. Each expert I spoke to or texted at Progent was totally committed on getting us restored and was working at all hours on our behalf."
Progent worked together with the client to rapidly understand and assign priority to the critical services that needed to be restored to make it possible to continue company functions:
To start, Progent followed ransomware penetration response industry best practices by halting lateral movement and disinfecting systems. Progent then began the work of restoring Windows Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the customerís financials and MRP software leveraged Microsoft SQL, which needs Windows AD for access to the database.
- Active Directory (AD)
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed setup and storage recovery on mission critical applications. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover email information. A not too old offline backup of the customerís accounting/MRP systems made them able to restore these essential services back online. Although a large amount of work remained to recover completely from the Ryuk damage, the most important services were returned to operations quickly:
"For the most part, the production line operation never missed a beat and we delivered all customer shipments."
Throughout the next couple of weeks critical milestones in the recovery project were accomplished in close collaboration between Progent engineers and the customer:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Server with over four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/AR/Inventory functions were fully operational.
- A new Palo Alto 850 security appliance was deployed.
- Nearly all of the desktops and laptops were being used by staff.
"A huge amount of what went on in the initial days is mostly a fog for me, but I will not forget the commitment each of the team accomplished to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a stunning achievement."
A possible enterprise-killing disaster was averted through the efforts of dedicated professionals, a broad array of knowledge, and close teamwork. Although in retrospect the ransomware virus incident detailed here would have been prevented with current cyber security systems and ISO/IEC 27001 best practices, user training, and properly executed incident response procedures for information backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thanks very much for allowing me to get rested after we made it past the initial push. All of you did an incredible job, and if anyone that helped is in the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist