Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyber pandemic that represents an enterprise-level threat for businesses poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, as well as daily as yet unnamed newcomers, not only do encryption of online files but also infiltrate most accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can make any recovery impossible and effectively sets the entire system back to square one.
Getting back services and information after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop the spread and clear the crypto-ransomware and to restore enterprise-critical operations. Since ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when successful penetrations are likely to take longer to uncover. This multiplies the difficulty of promptly mobilizing and organizing a capable mitigation team.
Progent makes available a variety of services for securing Cincinnati businesses from crypto-ransomware attacks. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with AI capabilities to rapidly discover and extinguish new threats. Progent also can provide the services of veteran crypto-ransomware recovery consultants with the track record and perseverance to restore a breached network as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the needed keys to decipher any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to setup from scratch the vital components of your Information Technology environment. Absent access to full information backups, this calls for a wide range of skills, professional team management, and the ability to work 24x7 until the task is complete.
For two decades, Progent has provided professional Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably identify critical systems and re-organize the surviving parts of your network system after a ransomware attack and assemble them into a functioning network.
Progent's recovery team of experts deploys top notch project management tools to orchestrate the complex restoration process. Progent understands the urgency of working swiftly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get essential services back online as fast as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A client escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state criminal gangs, possibly using algorithms leaked from Americaís NSA organization. Ryuk attacks specific companies with limited room for operational disruption and is one of the most profitable iterations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk attack had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end engaged Progent.
"I canít speak enough in regards to the care Progent provided us throughout the most fearful time of (our) companyís survival. We may have had to pay the Hackers if not for the confidence the Progent group provided us. The fact that you could get our e-mail and critical applications back online sooner than a week was incredible. Every single person I talked with or e-mailed at Progent was absolutely committed on getting us back online and was working all day and night on our behalf."
Progent worked with the customer to quickly identify and assign priority to the key elements that had to be restored in order to continue company operations:
To get going, Progent adhered to ransomware event mitigation best practices by isolating and performing virus removal steps. Progent then started the steps of bringing back online Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís financials and MRP system utilized Microsoft SQL Server, which requires Active Directory services for security authorization to the databases.
- Active Directory (AD)
- Electronic Messaging
- MRP System
In less than 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated reinstallations and storage recovery on key applications. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers and laptops in order to recover email information. A recent offline backup of the client's accounting/ERP systems made it possible to recover these vital applications back online. Although a large amount of work was left to recover totally from the Ryuk event, critical systems were returned to operations rapidly:
"For the most part, the production line operation never missed a beat and we made all customer orders."
Throughout the following few weeks key milestones in the restoration process were made in close cooperation between Progent engineers and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory Control modules were 100% functional.
- A new Palo Alto 850 firewall was brought online.
- Ninety percent of the desktop computers were functioning as before the incident.
"A huge amount of what was accomplished those first few days is mostly a haze for me, but I will not forget the urgency all of the team accomplished to help get our company back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has come through and delivered. This time was a life saver."
A probable company-ending disaster was evaded through the efforts of dedicated professionals, a wide range of subject matter expertise, and tight collaboration. Although in retrospect the crypto-ransomware incident detailed here would have been disabled with current security solutions and best practices, staff education, and properly executed incident response procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for allowing me to get rested after we made it past the initial push. All of you did an amazing effort, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist