Ransomware : Your Crippling IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as daily as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate any configured system protection mechanisms. Information replicated to the cloud can also be corrupted. In a vulnerable environment, it can make automatic recovery hopeless and basically sets the datacenter back to zero.
Getting back applications and information after a ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain the damage and eradicate the ransomware and to restore mission-critical activity. Since crypto-ransomware takes time to move laterally, assaults are often launched on weekends, when penetrations tend to take more time to discover. This compounds the difficulty of rapidly mobilizing and coordinating a capable mitigation team.
Progent offers a variety of services for securing Cincinnati businesses from crypto-ransomware events. These include team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with artificial intelligence capabilities to rapidly detect and extinguish zero-day threats. Progent also provides the assistance of veteran ransomware recovery professionals with the track record and perseverance to restore a compromised system as soon as possible.
Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to piece back together the essential components of your Information Technology environment. Without the availability of complete data backups, this calls for a wide range of skills, well-coordinated team management, and the capability to work 24x7 until the job is complete.
For decades, Progent has offered expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably determine critical systems and consolidate the remaining pieces of your network system after a crypto-ransomware event and configure them into a functioning system.
Progent's ransomware group deploys state-of-the-art project management applications to coordinate the complex restoration process. Progent knows the urgency of working swiftly and together with a client's management and IT resources to prioritize tasks and to put key services back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business sought out Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk seeks specific businesses with limited tolerance for disruption and is one of the most profitable versions of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing processes. Most of the client's data protection had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end reached out to Progent.
"I canít tell you enough about the expertise Progent gave us during the most stressful period of (our) companyís survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team gave us. That you could get our e-mail and important servers back in less than five days was amazing. Every single expert I got help from or messaged at Progent was absolutely committed on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the client to quickly get our arms around and assign priority to the critical elements that needed to be recovered in order to continue departmental operations:
To begin, Progent followed ransomware incident mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then began the task of restoring Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which requires Active Directory services for access to the information.
- Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished setup and storage recovery of essential systems. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops in order to recover email data. A not too old offline backup of the client's financials/MRP systems made them able to restore these essential programs back online. Although a large amount of work still had to be done to recover fully from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer orders."
During the next couple of weeks important milestones in the recovery project were achieved through tight cooperation between Progent consultants and the client:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Server containing more than four million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory functions were fully functional.
- A new Palo Alto 850 firewall was set up.
- Ninety percent of the user desktops and notebooks were fully operational.
"So much of what happened that first week is nearly entirely a haze for me, but my management will not forget the commitment all of you put in to help get our company back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A likely business-killing catastrophe was evaded due to top-tier professionals, a wide array of knowledge, and tight collaboration. Although in hindsight the ransomware incident described here could have been stopped with current security systems and best practices, user training, and appropriate incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we got through the initial push. All of you did an amazing effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist