Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyberplague that poses an existential danger for businesses vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with more unnamed malware, not only do encryption of online data files but also infiltrate any available system protection. Files replicated to cloud environments can also be encrypted. In a poorly architected system, it can make any restoration hopeless and basically knocks the datacenter back to zero.
Getting back applications and information following a ransomware event becomes a race against time as the victim tries its best to contain and remove the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware takes time to replicate, attacks are often launched during nights and weekends, when successful attacks typically take more time to discover. This multiplies the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a variety of solutions for protecting Naples enterprises from ransomware events. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based threat protection to detect and quarantine day-zero malware attacks. Progent also provides the assistance of experienced crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a compromised system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the essential parts of your Information Technology environment. Absent access to complete system backups, this requires a wide range of IT skills, professional team management, and the willingness to work 24x7 until the job is over.
For two decades, Progent has provided professional IT services for companies throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience affords Progent the ability to knowledgably understand critical systems and organize the remaining pieces of your IT environment following a ransomware attack and rebuild them into an operational system.
Progent's ransomware team uses state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of working swiftly and together with a customer's management and IT staff to prioritize tasks and to get critical systems back online as fast as possible.
Case Study: A Successful Ransomware Penetration Recovery
A customer hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored criminal gangs, suspected of using techniques exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited room for disruption and is among the most lucrative examples of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.
"I can't tell you enough in regards to the care Progent provided us during the most stressful period of (our) businesses life. We would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent team gave us. That you were able to get our e-mail and key applications back faster than one week was earth shattering. Each expert I worked with or texted at Progent was amazingly focused on getting my company operational and was working 24 by 7 to bail us out."
Progent worked hand in hand the client to quickly understand and assign priority to the most important areas that had to be recovered to make it possible to resume business operations:
To get going, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of restoring Active Directory, the heart of enterprise networks built on Microsoft technology. Exchange email will not work without Windows AD, and the businesses' MRP system used SQL Server, which needs Active Directory services for authentication to the data.
- Active Directory (AD)
- MRP System
Within two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of essential systems. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Folder Files) on various PCs in order to recover email messages. A not too old offline backup of the customer's financials/MRP systems made it possible to return these essential programs back available to users. Although significant work needed to be completed to recover totally from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the manufacturing operation did not miss a beat and we delivered all customer orders."
Over the following few weeks critical milestones in the recovery process were achieved in tight collaboration between Progent engineers and the customer:
- Internal web applications were returned to operation with no loss of information.
- The MailStore Exchange Server with over 4 million historical emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully operational.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the user desktops and notebooks were operational.
"A lot of what happened those first few days is mostly a fog for me, but our team will not soon forget the care each of you accomplished to help get our company back. I've entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This time was a Herculean accomplishment."
A probable enterprise-killing disaster was evaded with dedicated professionals, a wide array of subject matter expertise, and close collaboration. Although in retrospect the ransomware penetration described here could have been identified and prevented with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, team education, and well thought out security procedures for data protection and applying software patches, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got through the first week. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Naples
For ransomware system recovery expertise in the Naples metro area, call Progent at 800-462-8800 or see Contact Progent.