Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyberplague that represents an existential threat for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed malware, not only do encryption of online critical data but also infect many available system protection mechanisms. Data synched to the cloud can also be rendered useless. In a vulnerable system, it can make any restore operations impossible and effectively sets the datacenter back to square one.
Getting back on-line programs and information following a crypto-ransomware outage becomes a race against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to move laterally, assaults are often launched on weekends and holidays, when successful penetrations may take longer to detect. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable response team.
Progent has an assortment of support services for securing Naples businesses from crypto-ransomware attacks. Among these are user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat defense to detect and suppress day-zero malware attacks. Progent in addition can provide the services of experienced ransomware recovery consultants with the track record and perseverance to rebuild a compromised environment as soon as possible.
Progent's Ransomware Restoration Help
Soon after a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the keys to decrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to piece back together the key components of your Information Technology environment. Without access to full information backups, this requires a wide complement of IT skills, well-coordinated team management, and the willingness to work non-stop until the recovery project is completed.
For decades, Progent has provided professional IT services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience affords Progent the capability to quickly identify necessary systems and integrate the surviving parts of your network system following a ransomware event and assemble them into a functioning network.
Progent's recovery team uses state-of-the-art project management tools to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to get essential services back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Response
A small business hired Progent after their network system was penetrated by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state hackers, possibly using approaches leaked from America's National Security Agency. Ryuk seeks specific businesses with little ability to sustain operational disruption and is one of the most lucrative versions of ransomware malware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end engaged Progent.
"I can't say enough about the support Progent gave us during the most critical period of (our) businesses survival. We may have had to pay the Hackers if it wasn't for the confidence the Progent group provided us. The fact that you could get our e-mail system and production servers back online faster than a week was something I thought impossible. Every single person I talked with or messaged at Progent was absolutely committed on getting our system up and was working 24 by 7 to bail us out."
Progent worked with the client to rapidly identify and assign priority to the essential applications that had to be restored in order to restart business functions:
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of recovering Windows Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the customer's financials and MRP applications leveraged Microsoft SQL, which depends on Active Directory services for security authorization to the data.
- Windows Active Directory
- Exchange Server
In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with rebuilding and storage recovery on critical applications. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops in order to recover mail messages. A recent offline backup of the customer's financials/MRP software made them able to return these required services back online for users. Although a lot of work needed to be completed to recover totally from the Ryuk damage, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer shipments."
During the following few weeks important milestones in the recovery project were achieved through tight collaboration between Progent team members and the client:
- Internal web applications were restored with no loss of data.
- The MailStore Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% operational.
- A new Palo Alto 850 firewall was brought online.
- 90% of the user desktops and notebooks were fully operational.
"Much of what occurred in the initial days is mostly a haze for me, but I will not soon forget the urgency each of you accomplished to help get our company back. I've entrusted Progent for at least 10 years, maybe more, and every time Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A likely business extinction catastrophe was averted through the efforts of top-tier experts, a broad range of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus penetration described here should have been identified and blocked with current security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thanks very much for making it so I could get rested after we made it over the most critical parts. All of you did an incredible job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Naples
For ransomware recovery consulting services in the Naples area, call Progent at 800-462-8800 or go to Contact Progent.