Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses vulnerable to an attack. Multiple generations of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with more unnamed malware, not only encrypt on-line data but also infect all available system backup. Data synched to the cloud can also be encrypted. In a poorly designed system, this can render any recovery impossible and basically sets the entire system back to square one.
Retrieving programs and information following a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop the spread and remove the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to move laterally, assaults are frequently launched on weekends, when successful attacks are likely to take longer to identify. This multiplies the difficulty of rapidly marshalling and coordinating a qualified mitigation team.
Progent makes available an assortment of support services for protecting Augusta-Richmond County organizations from ransomware attacks. Among these are team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to discover and quarantine day-zero modern malware assaults. Progent also can provide the services of seasoned crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a compromised system as rapidly as possible.
Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the needed keys to unencrypt all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full data backups, this calls for a wide range of skill sets, professional project management, and the willingness to work non-stop until the task is done.
For twenty years, Progent has made available professional Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience provides Progent the capability to efficiently understand important systems and re-organize the surviving parts of your computer network environment following a crypto-ransomware event and configure them into an operational system.
Progent's recovery team utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of working swiftly and together with a customer's management and Information Technology staff to assign priority to tasks and to put critical applications back on line as fast as possible.
Case Study: A Successful Ransomware Penetration Recovery
A small business contacted Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from America's NSA organization. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most lucrative instances of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has about 500 staff members. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end utilized Progent.
"I cannot speak enough about the care Progent gave us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent group gave us. That you were able to get our e-mail system and key applications back quicker than a week was earth shattering. Each person I spoke to or texted at Progent was laser focused on getting our company operational and was working at all hours to bail us out."
Progent worked hand in hand the client to quickly get our arms around and prioritize the critical areas that had to be recovered in order to restart business operations:
To begin, Progent followed Anti-virus incident response best practices by halting lateral movement and cleaning systems of viruses. Progent then began the process of recovering Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the client's MRP system utilized Microsoft SQL Server, which requires Windows AD for access to the data.
- Microsoft Active Directory
- MRP System
In less than 2 days, Progent was able to recover Active Directory to its pre-virus state. Progent then performed rebuilding and hard drive recovery on needed systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/ERP software made them able to restore these required programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, core systems were returned to operations rapidly:
"For the most part, the production line operation was never shut down and we delivered all customer sales."
Over the following couple of weeks key milestones in the restoration process were achieved through close cooperation between Progent engineers and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million historical messages was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% functional.
- A new Palo Alto 850 firewall was deployed.
- Nearly all of the desktop computers were operational.
"Much of what occurred that first week is mostly a haze for me, but my team will not soon forget the urgency all of the team accomplished to give us our company back. I've entrusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This time was a stunning achievement."
A likely company-ending catastrophe was evaded due to hard-working professionals, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus attack detailed here should have been shut down with current security systems and security best practices, user education, and properly executed security procedures for information backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for letting me get some sleep after we got over the initial fire. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services in Augusta-Richmond County
For ransomware recovery consulting in the Augusta-Richmond County area, call Progent at 800-462-8800 or visit Contact Progent.