Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an extinction-level danger for organizations vulnerable to an attack. Versions of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus daily as yet unnamed newcomers, not only encrypt online files but also infect any configured system restores and backups. Information synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can make any restore operations hopeless and effectively knocks the network back to square one.
Getting back online applications and data following a ransomware intrusion becomes a race against time as the targeted organization tries its best to contain and clear the ransomware and to restore enterprise-critical operations. Because crypto-ransomware takes time to move laterally, penetrations are frequently launched on weekends and holidays, when penetrations may take longer to recognize. This compounds the difficulty of quickly marshalling and coordinating a capable response team.
Progent makes available an assortment of support services for securing Sandy Springs enterprises from ransomware penetrations. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with artificial intelligence technology to automatically identify and quarantine zero-day cyber threats. Progent in addition offers the assistance of expert crypto-ransomware recovery engineers with the skills and commitment to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will return the needed keys to decipher any of your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The other path is to setup from scratch the key parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of IT skills, professional team management, and the capability to work non-stop until the recovery project is over.
For decades, Progent has offered expert IT services for businesses across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to efficiently determine critical systems and re-organize the remaining pieces of your Information Technology environment after a ransomware event and assemble them into a functioning network.
Progent's security team of experts utilizes powerful project management tools to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and together with a client's management and Information Technology team members to prioritize tasks and to put essential services back on line as fast as possible.
Client Case Study: A Successful Ransomware Incident Response
A small business escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state criminal gangs, possibly using technology leaked from the U.S. NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200,000) and praying for good luck, but ultimately reached out to Progent.
"I canít say enough about the support Progent gave us throughout the most fearful period of (our) businesses survival. We may have had to pay the cyber criminals if not for the confidence the Progent group afforded us. That you were able to get our e-mail and key servers back on-line in less than seven days was earth shattering. Each expert I spoke to or e-mailed at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked hand in hand the customer to quickly assess and assign priority to the most important applications that needed to be recovered in order to restart departmental operations:
To start, Progent followed ransomware incident response industry best practices by stopping the spread and clearing infected systems. Progent then began the process of bringing back online Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not function without AD, and the customerís MRP software leveraged Microsoft SQL, which needs Active Directory for security authorization to the data.
- Active Directory
- Exchange Server
Within two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then assisted with rebuilding and hard drive recovery of key systems. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on various desktop computers to recover mail messages. A recent offline backup of the client's accounting/MRP systems made it possible to recover these required applications back on-line. Although a lot of work still had to be done to recover completely from the Ryuk damage, the most important systems were returned to operations quickly:
"For the most part, the production manufacturing operation showed little impact and we produced all customer deliverables."
Over the next couple of weeks critical milestones in the restoration process were accomplished through tight collaboration between Progent team members and the client:
- In-house web sites were brought back up with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory functions were completely operational.
- A new Palo Alto 850 firewall was brought on-line.
- 90% of the user desktops were operational.
"A huge amount of what was accomplished that first week is mostly a blur for me, but my team will not forget the commitment each and every one of your team put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was the most impressive ever."
A probable business-killing catastrophe was avoided by dedicated experts, a broad range of IT skills, and close teamwork. Although in retrospect the ransomware penetration detailed here would have been prevented with current cyber security technology solutions and recognized best practices, team training, and appropriate security procedures for data protection and proper patching controls, the reality is that government-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get some sleep after we made it over the initial fire. Everyone did an amazing effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Sandy Springs
For ransomware cleanup expertise in the Sandy Springs metro area, phone Progent at 800-462-8800 or go to Contact Progent.