Ransomware : Your Crippling IT Nightmare
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Multiple generations of crypto-ransomware such as CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still cause harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with frequent unnamed malware, not only encrypt on-line data but also infiltrate all available system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a poorly designed environment, this can render any recovery useless and effectively sets the network back to zero.
Getting back online programs and information after a crypto-ransomware event becomes a race against time as the targeted organization struggles to stop the spread and eradicate the ransomware and to resume mission-critical activity. Because ransomware needs time to spread, penetrations are usually launched during weekends and nights, when successful penetrations tend to take longer to identify. This compounds the difficulty of quickly assembling and organizing a knowledgeable response team.
Progent makes available a variety of services for protecting Portland businesses from ransomware attacks. These include team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to detect and disable zero-day malware attacks. Progent also provides the assistance of experienced ransomware recovery consultants with the track record and commitment to re-deploy a compromised system as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decipher any of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to re-install the key parts of your IT environment. Absent the availability of essential data backups, this requires a wide range of skills, professional team management, and the ability to work continuously until the task is completed.
For two decades, Progent has made available professional IT services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly ascertain necessary systems and integrate the remaining pieces of your IT system following a ransomware attack and configure them into an operational network.
Progent's recovery group has state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put key systems back online as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Restoration
A client contacted Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored criminal gangs, possibly adopting technology leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is among the most lucrative incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end called Progent.
"I cannot thank you enough in regards to the help Progent gave us throughout the most fearful period of (our) businesses existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group gave us. That you could get our e-mail and production applications back online quicker than one week was earth shattering. Each expert I talked with or communicated with at Progent was urgently focused on getting us working again and was working day and night on our behalf."
Progent worked together with the customer to rapidly assess and prioritize the critical services that had to be recovered in order to continue company operations:
To start, Progent followed ransomware incident mitigation best practices by stopping the spread and clearing infected systems. Progent then started the task of bringing back online Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the businesses' financials and MRP applications utilized SQL Server, which requires Windows AD for authentication to the database.
- Active Directory
- Exchange Server
In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then charged ahead with rebuilding and hard drive recovery on critical systems. All Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Folder Files) on staff PCs in order to recover mail messages. A recent offline backup of the customer's accounting/MRP software made them able to restore these essential programs back servicing users. Although major work still had to be done to recover completely from the Ryuk attack, core services were recovered rapidly:
"For the most part, the assembly line operation was never shut down and we delivered all customer shipments."
Throughout the next few weeks important milestones in the recovery process were completed through tight cooperation between Progent team members and the customer:
- In-house web sites were brought back up without losing any information.
- The MailStore Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent restored.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the user workstations were operational.
"Much of what went on those first few days is mostly a fog for me, but my management will not soon forget the urgency each and every one of your team accomplished to help get our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."
A probable enterprise-killing catastrophe was dodged by dedicated experts, a broad range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here could have been identified and blocked with current security technology and best practices, user training, and appropriate security procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it past the most critical parts. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Portland
For ransomware cleanup services in the Portland area, phone Progent at 800-462-8800 or go to Contact Progent.