Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to cause destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with frequent unnamed viruses, not only do encryption of online files but also infiltrate all configured system restores and backups. Files replicated to cloud environments can also be rendered useless. In a poorly designed system, it can make automated restoration hopeless and basically sets the network back to square one.
Getting back on-line programs and data after a crypto-ransomware intrusion becomes a race against time as the targeted business struggles to contain the damage and cleanup the virus and to resume business-critical activity. Since ransomware requires time to move laterally, assaults are often sprung during nights and weekends, when attacks in many cases take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating a capable mitigation team.
Progent offers an assortment of solutions for securing Charlotte businesses from ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat protection to discover and disable zero-day malware attacks. Progent also provides the services of experienced ransomware recovery consultants with the skills and commitment to rebuild a compromised system as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to decrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to piece back together the critical elements of your IT environment. Absent access to full system backups, this requires a wide range of skills, well-coordinated team management, and the ability to work non-stop until the job is over.
For two decades, Progent has offered expert IT services for businesses across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the ability to efficiently identify important systems and consolidate the surviving pieces of your IT system following a crypto-ransomware attack and configure them into a functioning system.
Progent's recovery group has best of breed project management tools to orchestrate the sophisticated restoration process. Progent understands the importance of working swiftly and together with a customer's management and IT staff to prioritize tasks and to get essential systems back on line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Incident Restoration
A client hired Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored cybercriminals, possibly adopting techniques leaked from the United States National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is among the most profitable examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.
"I cannot speak enough in regards to the expertise Progent gave us throughout the most critical time of (our) businesses existence. We had little choice but to pay the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important servers back online sooner than one week was incredible. Every single staff member I worked with or texted at Progent was absolutely committed on getting us back online and was working 24/7 on our behalf."
Progent worked together with the client to rapidly get our arms around and assign priority to the key areas that needed to be restored to make it possible to restart departmental operations:
To start, Progent adhered to ransomware penetration mitigation industry best practices by stopping the spread and disinfecting systems. Progent then initiated the task of rebuilding Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's MRP applications leveraged Microsoft SQL Server, which depends on Windows AD for access to the databases.
- Microsoft Active Directory
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with setup and storage recovery of needed systems. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Off-Line Data Files) on various PCs and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/ERP software made it possible to return these required services back online. Although major work still had to be done to recover fully from the Ryuk virus, critical systems were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we did not miss any customer sales."
Over the following few weeks important milestones in the recovery process were achieved in tight cooperation between Progent team members and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Server with over 4 million archived messages was brought online and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Most of the desktops and laptops were operational.
"A lot of what went on that first week is mostly a fog for me, but I will not forget the dedication each of you accomplished to give us our business back. I've been working with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."
A likely business extinction disaster was averted due to hard-working professionals, a wide array of subject matter expertise, and close teamwork. Although in retrospect the ransomware incident detailed here would have been disabled with modern cyber security technology and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for data backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get some sleep after we got past the first week. All of you did an fabulous job, and if anyone is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Charlotte
For ransomware recovery consulting in the Charlotte metro area, phone Progent at 800-462-8800 or see Contact Progent.