Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for organizations unprepared for an assault. Different iterations of ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, as well as daily as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate all accessible system backup. Data replicated to cloud environments can also be rendered useless. In a poorly architected system, it can make any recovery impossible and basically sets the entire system back to square one.
Retrieving programs and data following a ransomware event becomes a sprint against time as the victim tries its best to contain and clear the ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually launched during weekends and nights, when successful attacks in many cases take longer to detect. This multiplies the difficulty of promptly assembling and organizing an experienced mitigation team.
Progent offers a range of solutions for securing Norfolk enterprises from ransomware events. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based threat protection to detect and suppress zero-day modern malware attacks. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the track record and commitment to restore a compromised system as quickly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to decipher any of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The other path is to setup from scratch the key parts of your IT environment. Without the availability of full data backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work continuously until the job is finished.
For twenty years, Progent has provided expert Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience gives Progent the skills to efficiently identify critical systems and consolidate the remaining components of your Information Technology environment following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's recovery team uses powerful project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and together with a client's management and IT staff to prioritize tasks and to get essential services back on-line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, possibly adopting techniques leaked from the United States National Security Agency. Ryuk goes after specific companies with little or no tolerance for disruption and is among the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with about 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.
"I cannot tell you enough in regards to the expertise Progent provided us throughout the most stressful time of (our) businesses life. We had little choice but to pay the cyber criminals except for the confidence the Progent team provided us. The fact that you were able to get our messaging and essential applications back into operation in less than seven days was amazing. Each expert I spoke to or communicated with at Progent was absolutely committed on getting us back online and was working 24 by 7 on our behalf."
Progent worked hand in hand the client to rapidly identify and assign priority to the critical elements that had to be addressed to make it possible to continue company functions:
To begin, Progent adhered to ransomware incident mitigation industry best practices by isolating and cleaning systems of viruses. Progent then started the task of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customer's accounting and MRP software used SQL Server, which needs Windows AD for authentication to the data.
- Windows Active Directory
- Electronic Mail
- MRP System
In less than 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery of needed servers. All Exchange schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Data Files) on various desktop computers in order to recover mail information. A recent off-line backup of the businesses financials/MRP systems made it possible to recover these required programs back online. Although significant work remained to recover totally from the Ryuk event, core services were recovered rapidly:
"For the most part, the production line operation did not miss a beat and we produced all customer sales."
Over the next couple of weeks critical milestones in the recovery project were completed through close cooperation between Progent consultants and the client:
- Self-hosted web applications were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Nearly all of the desktop computers were back into operation.
"So much of what occurred in the early hours is mostly a blur for me, but our team will not forget the countless hours each and every one of the team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a testament to your capabilities."
A probable business-ending catastrophe was avoided with dedicated experts, a broad array of IT skills, and close teamwork. Although upon completion of forensics the ransomware incident described here should have been prevented with current security technology and NIST Cybersecurity Framework best practices, staff education, and properly executed security procedures for data protection and proper patching controls, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get some sleep after we got over the initial fire. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Norfolk
For ransomware system recovery expertise in the Norfolk metro area, call Progent at 800-462-8800 or go to Contact Progent.