Ransomware : Your Crippling Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more unnamed viruses, not only do encryption of on-line critical data but also infiltrate all available system protection mechanisms. Data synched to the cloud can also be rendered useless. In a vulnerable environment, it can make any restore operations impossible and basically knocks the network back to zero.
Retrieving services and data following a ransomware intrusion becomes a race against the clock as the targeted organization tries its best to stop lateral movement and clear the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware needs time to spread, penetrations are usually sprung during nights and weekends, when attacks may take more time to discover. This compounds the difficulty of quickly assembling and coordinating a capable mitigation team.
Progent makes available a variety of help services for securing San Mateo organizations from crypto-ransomware penetrations. Among these are team member training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat defense to detect and extinguish day-zero modern malware assaults. Progent also can provide the services of seasoned crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decipher any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The fallback is to setup from scratch the essential parts of your IT environment. Without access to complete system backups, this requires a broad range of skill sets, top notch team management, and the ability to work non-stop until the task is done.
For decades, Progent has made available professional Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise affords Progent the capability to rapidly determine important systems and re-organize the remaining parts of your network system after a ransomware penetration and rebuild them into an operational system.
Progent's ransomware group utilizes powerful project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back on-line as soon as possible.
Business Case Study: A Successful Ransomware Virus Recovery
A business contacted Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, suspected of adopting techniques leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most lucrative examples of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has around 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for the best, but in the end brought in Progent.
"I can't speak enough about the care Progent provided us during the most stressful time of (our) businesses life. We would have paid the hackers behind this attack if not for the confidence the Progent team gave us. That you could get our e-mail and essential servers back online faster than one week was amazing. Every single person I interacted with or communicated with at Progent was hell bent on getting us restored and was working breakneck pace on our behalf."
Progent worked hand in hand the client to quickly assess and assign priority to the key elements that needed to be addressed in order to resume departmental functions:
To begin, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and disinfecting systems. Progent then began the task of recovering Microsoft AD, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the customer's accounting and MRP system leveraged Microsoft SQL, which requires Windows AD for access to the data.
- Active Directory
- Microsoft Exchange Server
In less than 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then completed reinstallations and hard drive recovery on needed servers. All Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Off-Line Folder Files) on various desktop computers and laptops in order to recover mail information. A recent offline backup of the businesses manufacturing software made it possible to return these required applications back on-line. Although major work needed to be completed to recover totally from the Ryuk attack, core services were returned to operations quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."
Throughout the following few weeks key milestones in the restoration project were made in close collaboration between Progent engineers and the client:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were fully recovered.
- A new Palo Alto 850 security appliance was set up.
- Ninety percent of the user workstations were functioning as before the incident.
"Much of what went on those first few days is mostly a blur for me, but my team will not soon forget the care all of you put in to give us our company back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This situation was a life saver."
A possible company-ending disaster was avoided by top-tier professionals, a wide range of technical expertise, and tight teamwork. Although in hindsight the ransomware virus incident detailed here could have been identified and prevented with advanced cyber security systems and ISO/IEC 27001 best practices, staff education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we got over the initial fire. Everyone did an fabulous job, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in San Mateo
For ransomware cleanup consulting services in the San Mateo metro area, phone Progent at 800-462-8800 or go to Contact Progent.