Ransomware : Your Feared IT Nightmare
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations vulnerable to an attack. Versions of crypto-ransomware such as Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, along with daily as yet unnamed malware, not only do encryption of online information but also infect all accessible system restores and backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can render automatic restore operations impossible and effectively knocks the entire system back to square one.
Recovering applications and information following a crypto-ransomware attack becomes a race against the clock as the targeted organization fights to contain the damage and eradicate the virus and to restore mission-critical operations. Since ransomware needs time to move laterally, penetrations are frequently sprung during nights and weekends, when successful penetrations typically take more time to identify. This multiplies the difficulty of promptly marshalling and organizing a qualified mitigation team.
Progent makes available a range of services for securing Norfolk organizations from crypto-ransomware attacks. These include staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with machine learning capabilities to automatically discover and quarantine zero-day cyber threats. Progent in addition provides the assistance of experienced crypto-ransomware recovery professionals with the talent and perseverance to restore a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will return the codes to decrypt any or all of your data. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to setup from scratch the vital elements of your IT environment. Without the availability of complete data backups, this requires a broad range of IT skills, professional project management, and the ability to work non-stop until the recovery project is done.
For decades, Progent has provided expert IT services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience gives Progent the capability to efficiently ascertain critical systems and re-organize the remaining parts of your Information Technology system following a ransomware penetration and configure them into a functioning system.
Progent's recovery team deploys powerful project management systems to orchestrate the complex recovery process. Progent understands the importance of acting swiftly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to get key applications back on-line as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Response
A business engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state hackers, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk seeks specific companies with little or no tolerance for operational disruption and is one of the most profitable iterations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's backups had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately reached out to Progent.
"I canít speak enough in regards to the help Progent provided us during the most fearful time of (our) companyís life. We had little choice but to pay the Hackers except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and essential servers back into operation in less than five days was beyond my wildest dreams. Every single expert I worked with or messaged at Progent was totally committed on getting our company operational and was working breakneck pace on our behalf."
Progent worked hand in hand the customer to quickly determine and prioritize the key systems that had to be restored to make it possible to restart departmental functions:
To get going, Progent adhered to ransomware event response industry best practices by halting the spread and removing active viruses. Progent then began the work of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the customerís MRP software used SQL Server, which needs Active Directory services for security authorization to the databases.
- Windows Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of essential systems. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers to recover mail information. A not too old offline backup of the customerís financials/MRP software made them able to recover these vital services back servicing users. Although significant work still had to be done to recover fully from the Ryuk damage, critical systems were recovered rapidly:
"For the most part, the production line operation was never shut down and we delivered all customer shipments."
Over the next couple of weeks important milestones in the recovery project were achieved in tight cooperation between Progent engineers and the customer:
- Internal web applications were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the user desktops were fully operational.
"A huge amount of what was accomplished in the early hours is nearly entirely a fog for me, but we will not soon forget the care all of your team accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."
A possible business-killing disaster was avoided through the efforts of hard-working experts, a wide range of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here should have been identified and blocked with up-to-date cyber security technology and ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thank you for letting me get some sleep after we made it over the initial push. All of you did an incredible effort, and if anyone is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist