Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as additional as yet unnamed malware, not only do encryption of online data files but also infiltrate any accessible system backup. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can render automatic restoration useless and effectively knocks the entire system back to square one.
Restoring services and information after a ransomware attack becomes a race against the clock as the targeted organization fights to contain the damage and cleanup the ransomware and to resume mission-critical activity. Since ransomware takes time to spread, penetrations are frequently launched during nights and weekends, when attacks tend to take more time to uncover. This compounds the difficulty of promptly assembling and coordinating a capable response team.
Progent offers a variety of help services for protecting Norfolk organizations from crypto-ransomware penetrations. These include team training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with artificial intelligence technology to automatically detect and suppress day-zero cyber threats. Progent also can provide the services of seasoned ransomware recovery engineers with the talent and commitment to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Recovery Help
Following a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to decipher any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Without access to full information backups, this calls for a broad complement of IT skills, top notch project management, and the capability to work non-stop until the job is completed.
For two decades, Progent has made available expert IT services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience gives Progent the ability to quickly understand critical systems and integrate the remaining pieces of your IT environment after a ransomware attack and configure them into an operational system.
Progent's ransomware team uses best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in unison with a customerís management and IT resources to prioritize tasks and to get key systems back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A client escalated to Progent after their organization was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, suspected of adopting techniques leaked from Americaís National Security Agency. Ryuk attacks specific organizations with limited tolerance for disruption and is among the most profitable examples of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in the Chicago metro area with around 500 workers. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.
"I canít tell you enough in regards to the care Progent gave us during the most critical period of (our) companyís existence. We most likely would have paid the cyber criminals except for the confidence the Progent experts afforded us. The fact that you could get our e-mail and key servers back on-line sooner than one week was beyond my wildest dreams. Every single expert I got help from or messaged at Progent was totally committed on getting us back on-line and was working at all hours on our behalf."
Progent worked together with the client to quickly get our arms around and assign priority to the key systems that had to be addressed to make it possible to continue company functions:
To start, Progent adhered to Anti-virus event response industry best practices by stopping the spread and disinfecting systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without Windows AD, and the client's accounting and MRP system leveraged SQL Server, which requires Active Directory for security authorization to the database.
- Microsoft Active Directory
- MRP System
Within 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery of mission critical servers. All Exchange ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Offline Data Files) on various desktop computers in order to recover mail information. A not too old offline backup of the businesses accounting/MRP software made them able to restore these essential applications back online. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were restored quickly:
"For the most part, the production manufacturing operation never missed a beat and we made all customer sales."
Throughout the next few weeks important milestones in the restoration process were completed through tight collaboration between Progent team members and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Server with over 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoices/AP/AR/Inventory functions were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was deployed.
- Ninety percent of the user desktops were operational.
"A huge amount of what went on in the initial days is mostly a haze for me, but our team will not soon forget the care each of the team accomplished to give us our company back. Iíve trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."
A potential business extinction disaster was dodged due to results-oriented professionals, a broad range of IT skills, and close collaboration. Although in hindsight the crypto-ransomware attack detailed here could have been shut down with advanced security systems and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for data backup and proper patching controls, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get rested after we made it past the most critical parts. All of you did an amazing job, and if anyone is around the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist