Ransomware : Your Worst IT Disaster
Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses vulnerable to an attack. Different versions of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with daily unnamed viruses, not only do encryption of on-line critical data but also infiltrate all configured system backup. Files synched to cloud environments can also be ransomed. In a poorly architected data protection solution, it can render any recovery useless and effectively knocks the network back to square one.
Retrieving programs and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume enterprise-critical activity. Since crypto-ransomware needs time to replicate, assaults are usually sprung on weekends and holidays, when successful attacks tend to take more time to identify. This compounds the difficulty of promptly marshalling and organizing a knowledgeable response team.
Progent provides a range of support services for protecting Birmingham organizations from ransomware attacks. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with artificial intelligence capabilities to intelligently detect and suppress new cyber attacks. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Following a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher all your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to re-install the vital components of your IT environment. Without access to full system backups, this calls for a broad range of IT skills, top notch project management, and the capability to work non-stop until the task is complete.
For twenty years, Progent has provided professional Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience affords Progent the capability to rapidly identify necessary systems and consolidate the surviving parts of your IT system following a crypto-ransomware event and assemble them into an operational system.
Progent's security team has best of breed project management systems to coordinate the complicated restoration process. Progent knows the importance of acting swiftly and together with a client's management and IT staff to assign priority to tasks and to get critical applications back on line as fast as humanly possible.
Client Case Study: A Successful Ransomware Virus Restoration
A small business hired Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state hackers, possibly using technology exposed from Americaís NSA organization. Ryuk attacks specific businesses with little tolerance for disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk event had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.
"I canít say enough about the expertise Progent gave us throughout the most critical period of (our) companyís life. We most likely would have paid the cyber criminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and production servers back online sooner than five days was beyond my wildest dreams. Every single expert I worked with or e-mailed at Progent was laser focused on getting us back online and was working non-stop on our behalf."
Progent worked with the customer to rapidly identify and prioritize the mission critical services that had to be recovered in order to resume departmental functions:
To begin, Progent followed Anti-virus incident response best practices by halting the spread and clearing infected systems. Progent then began the steps of recovering Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without AD, and the customerís MRP software utilized SQL Server, which depends on Windows AD for authentication to the information.
- Active Directory (AD)
In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery of mission critical applications. All Exchange data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover mail messages. A recent off-line backup of the customerís manufacturing systems made them able to restore these vital services back available to users. Although major work remained to recover fully from the Ryuk damage, the most important systems were returned to operations rapidly:
"For the most part, the manufacturing operation survived unscathed and we did not miss any customer sales."
During the following month key milestones in the recovery process were achieved in close collaboration between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were fully functional.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the user desktops and notebooks were operational.
"So much of what happened that first week is mostly a blur for me, but my team will not soon forget the commitment each of your team put in to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."
A probable business disaster was avoided by top-tier professionals, a wide range of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware virus attack detailed here should have been stopped with up-to-date security solutions and recognized best practices, staff education, and appropriate incident response procedures for information protection and proper patching controls, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has substantial experience in ransomware virus defense, remediation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for allowing me to get some sleep after we made it over the initial fire. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist