Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations poorly prepared for an attack. Versions of crypto-ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for years and still inflict damage. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus daily as yet unnamed newcomers, not only do encryption of online files but also infect all configured system restores and backups. Information synched to cloud environments can also be encrypted. In a vulnerable system, it can make automated restore operations impossible and effectively sets the datacenter back to zero.
Recovering services and data after a crypto-ransomware event becomes a race against the clock as the targeted organization struggles to stop lateral movement and clear the ransomware and to restore enterprise-critical activity. Since crypto-ransomware needs time to move laterally, penetrations are frequently launched on weekends and holidays, when successful penetrations tend to take longer to notice. This compounds the difficulty of quickly mobilizing and orchestrating an experienced response team.
Progent has an assortment of support services for securing Morgan Hill organizations from ransomware attacks. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with AI technology to rapidly detect and extinguish day-zero cyber attacks. Progent also can provide the services of experienced ransomware recovery consultants with the talent and commitment to restore a breached network as quickly as possible.
Progent's Ransomware Recovery Help
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to re-install the key components of your IT environment. Absent access to full data backups, this requires a broad complement of skills, professional team management, and the willingness to work 24x7 until the recovery project is completed.
For twenty years, Progent has made available expert Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably understand critical systems and organize the surviving components of your computer network environment following a ransomware attack and assemble them into an operational network.
Progent's security group has state-of-the-art project management systems to orchestrate the complicated recovery process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and IT staff to prioritize tasks and to get key applications back on line as fast as possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Response
A business sought out Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is one of the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.
"I can't thank you enough in regards to the support Progent provided us throughout the most critical period of (our) businesses existence. We may have had to pay the criminal gangs if it wasn't for the confidence the Progent group afforded us. That you could get our messaging and key applications back on-line quicker than one week was incredible. Each staff member I got help from or communicated with at Progent was urgently focused on getting us back online and was working at all hours to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the essential systems that needed to be restored to make it possible to continue company functions:
To begin, Progent followed AV/Malware Processes incident mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the steps of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the client's accounting and MRP system utilized Microsoft SQL, which needs Windows AD for security authorization to the databases.
- Windows Active Directory
- Exchange Server
- MRP System
Within 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then initiated reinstallations and hard drive recovery on needed servers. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Folder Files) on user PCs and laptops to recover mail data. A recent off-line backup of the customer's manufacturing systems made it possible to restore these essential applications back on-line. Although significant work remained to recover totally from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the assembly line operation was never shut down and we made all customer shipments."
During the following few weeks key milestones in the restoration process were accomplished in close collaboration between Progent consultants and the client:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Server with over 4 million archived messages was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the desktop computers were back into operation.
"Much of what happened during the initial response is mostly a haze for me, but we will not forget the urgency all of the team put in to help get our business back. I have been working with Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."
A probable company-ending disaster was evaded with dedicated professionals, a wide spectrum of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here could have been blocked with current security technology solutions and security best practices, user and IT administrator education, and appropriate incident response procedures for information protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it past the most critical parts. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Morgan Hill
For ransomware system recovery expertise in the Morgan Hill metro area, call Progent at 800-462-8800 or visit Contact Progent.