Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more unnamed malware, not only do encryption of online critical data but also infiltrate all configured system restores and backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, it can make automated restoration useless and effectively knocks the network back to zero.
Restoring services and data following a ransomware attack becomes a race against the clock as the victim struggles to stop lateral movement and remove the crypto-ransomware and to resume business-critical operations. Since ransomware needs time to move laterally, assaults are often launched during weekends and nights, when successful attacks may take longer to notice. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced response team.
Progent has an assortment of services for securing Charlotte enterprises from crypto-ransomware attacks. These include user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with AI technology to quickly discover and disable day-zero threats. Progent also can provide the assistance of experienced ransomware recovery consultants with the track record and perseverance to reconstruct a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will provide the needed codes to decipher all your files. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The fallback is to piece back together the key parts of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide complement of IT skills, professional team management, and the ability to work 24x7 until the recovery project is complete.
For two decades, Progent has offered certified expert Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience affords Progent the capability to quickly ascertain important systems and integrate the remaining parts of your computer network system following a ransomware attack and assemble them into an operational network.
Progent's recovery group uses powerful project management tools to coordinate the complicated restoration process. Progent understands the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get essential services back online as fast as possible.
Client Case Study: A Successful Ransomware Incident Restoration
A small business escalated to Progent after their network was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, suspected of adopting technology exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most lucrative iterations of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's data backups had been online at the start of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and praying for good luck, but ultimately engaged Progent.
"I cannot say enough in regards to the care Progent provided us throughout the most critical time of (our) businesses survival. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you could get our e-mail system and key applications back in less than 1 week was incredible. Every single person I spoke to or texted at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."
Progent worked with the client to rapidly understand and assign priority to the key applications that had to be restored to make it possible to resume business functions:
To start, Progent followed ransomware incident response industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the work of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís accounting and MRP applications utilized SQL Server, which depends on Windows AD for authentication to the data.
- Active Directory
- Microsoft Exchange Email
In less than 48 hours, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and storage recovery of essential applications. All Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Data Files) on user desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the businesses financials/MRP software made them able to recover these vital applications back available to users. Although major work still had to be done to recover fully from the Ryuk attack, core systems were restored quickly:
"For the most part, the assembly line operation did not miss a beat and we made all customer deliverables."
Throughout the next month critical milestones in the recovery process were accomplished in tight cooperation between Progent engineers and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the desktops and laptops were being used by staff.
"So much of what occurred that first week is nearly entirely a haze for me, but I will not soon forget the countless hours all of you accomplished to help get our company back. I have utilized Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered. This event was a testament to your capabilities."
A possible company-ending catastrophe was dodged with results-oriented experts, a wide spectrum of IT skills, and close teamwork. Although in post mortem the ransomware incident described here should have been disabled with advanced cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we got through the most critical parts. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist