Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyberplague that presents an extinction-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still inflict destruction. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus frequent unnamed newcomers, not only encrypt on-line files but also infiltrate most accessible system protection. Data synchronized to the cloud can also be rendered useless. In a poorly architected environment, it can make automated recovery hopeless and effectively knocks the datacenter back to square one.
Restoring applications and information after a crypto-ransomware attack becomes a race against time as the victim tries its best to stop the spread and cleanup the crypto-ransomware and to restore mission-critical operations. Because crypto-ransomware requires time to spread, attacks are usually launched during nights and weekends, when successful penetrations tend to take longer to identify. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.
Progent provides an assortment of services for securing Fresno organizations from crypto-ransomware events. These include staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with AI capabilities to quickly detect and disable day-zero cyber attacks. Progent also provides the assistance of experienced ransomware recovery consultants with the talent and perseverance to restore a breached system as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to piece back together the essential elements of your IT environment. Without access to complete information backups, this requires a broad range of IT skills, top notch project management, and the willingness to work 24x7 until the task is done.
For twenty years, Progent has offered certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly determine important systems and integrate the remaining pieces of your Information Technology environment after a ransomware attack and configure them into an operational system.
Progent's ransomware team deploys top notch project management systems to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and together with a customerís management and IT team members to prioritize tasks and to put key services back on-line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Restoration
A business escalated to Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting techniques leaked from the United States NSA organization. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is one of the most lucrative instances of ransomware malware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.
"I cannot speak enough about the expertise Progent gave us during the most fearful time of (our) companyís life. We had little choice but to pay the Hackers if not for the confidence the Progent group provided us. The fact that you could get our e-mail system and important applications back into operation in less than 1 week was beyond my wildest dreams. Every single expert I worked with or texted at Progent was amazingly focused on getting us operational and was working 24 by 7 on our behalf."
Progent worked with the client to rapidly assess and assign priority to the essential applications that had to be recovered to make it possible to resume company operations:
To start, Progent followed ransomware event response best practices by stopping lateral movement and cleaning up infected systems. Progent then began the task of recovering Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the client's financials and MRP applications used Microsoft SQL Server, which depends on Windows AD for access to the information.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then assisted with reinstallations and storage recovery of mission critical applications. All Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Offline Data Files) on user PCs in order to recover mail messages. A not too old off-line backup of the customerís accounting/ERP software made them able to return these required applications back online for users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the manufacturing operation was never shut down and we made all customer sales."
During the following couple of weeks important milestones in the recovery process were completed through close cooperation between Progent team members and the customer:
- Internal web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control modules were completely operational.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the user PCs were fully operational.
"A huge amount of what went on in the early hours is mostly a haze for me, but our team will not forget the dedication each of the team put in to help get our business back. I have entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was a stunning achievement."
A probable business-ending disaster was avoided with top-tier experts, a wide spectrum of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration detailed here could have been identified and disabled with current security solutions and ISO/IEC 27001 best practices, staff training, and well designed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), Iím grateful for letting me get rested after we made it past the most critical parts. All of you did an incredible effort, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Fresno
For ransomware system recovery consulting services in the Fresno metro area, call Progent at 800-462-8800 or visit Contact Progent.