Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an existential danger for organizations vulnerable to an attack. Versions of ransomware such as Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict damage. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more unnamed newcomers, not only do encryption of on-line files but also infect all accessible system backups. Data synched to cloud environments can also be corrupted. In a vulnerable data protection solution, it can make any recovery useless and effectively sets the network back to square one.
Getting back programs and information following a ransomware attack becomes a race against time as the targeted organization tries its best to stop the spread and remove the ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware requires time to replicate, attacks are usually launched during weekends and nights, when attacks typically take more time to identify. This compounds the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent makes available an assortment of solutions for protecting Augusta-Richmond County businesses from crypto-ransomware events. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with artificial intelligence technology to intelligently discover and suppress day-zero cyber attacks. Progent also can provide the assistance of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decrypt all your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The other path is to re-install the critical components of your Information Technology environment. Without the availability of essential data backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work 24x7 until the task is done.
For two decades, Progent has offered expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably ascertain important systems and organize the remaining pieces of your Information Technology system following a crypto-ransomware attack and configure them into a functioning system.
Progent's recovery team uses top notch project management applications to coordinate the complicated restoration process. Progent knows the importance of acting quickly and in concert with a client's management and IT resources to prioritize tasks and to get key systems back on line as fast as possible.
Case Study: A Successful Crypto-Ransomware Attack Restoration
A client engaged Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of using strategies leaked from the United States National Security Agency. Ryuk targets specific businesses with little ability to sustain disruption and is among the most lucrative instances of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has around 500 staff members. The Ryuk event had brought down all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and praying for good luck, but in the end engaged Progent.
"I canít say enough in regards to the support Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you were able to get our e-mail system and important applications back online sooner than five days was earth shattering. Each consultant I interacted with or e-mailed at Progent was urgently focused on getting us working again and was working all day and night on our behalf."
Progent worked together with the client to quickly assess and prioritize the most important services that needed to be addressed to make it possible to continue company operations:
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the work of recovering Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the client's financials and MRP system used Microsoft SQL, which needs Windows AD for access to the databases.
- Windows Active Directory
- Microsoft Exchange
Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform setup and storage recovery on essential systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Offline Data Files) on various PCs and laptops in order to recover email information. A recent off-line backup of the client's financials/ERP software made them able to recover these essential applications back online for users. Although a large amount of work was left to recover completely from the Ryuk virus, essential services were recovered rapidly:
"For the most part, the manufacturing operation ran fairly normal throughout and we did not miss any customer shipments."
Throughout the next couple of weeks critical milestones in the recovery project were made in tight cooperation between Progent engineers and the customer:
- Internal web sites were returned to operation without losing any data.
- The MailStore Server with over 4 million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto Networks 850 firewall was brought online.
- Ninety percent of the user desktops were back into operation.
"A lot of what went on in the early hours is mostly a blur for me, but my team will not soon forget the care each and every one of the team accomplished to help get our business back. I have trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."
A probable business extinction catastrophe was dodged by dedicated experts, a wide spectrum of subject matter expertise, and tight teamwork. Although in hindsight the ransomware attack described here would have been stopped with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for information backup and applying software patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get some sleep after we got through the initial fire. Everyone did an impressive effort, and if any of your team is in the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist