Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for organizations unprepared for an assault. Different versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus additional unnamed malware, not only encrypt online data files but also infiltrate all accessible system backups. Files synchronized to cloud environments can also be corrupted. In a poorly architected environment, this can make automatic restore operations impossible and basically knocks the network back to square one.
Recovering services and data after a ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical operations. Since ransomware needs time to replicate, attacks are often launched on weekends and holidays, when successful penetrations are likely to take more time to discover. This multiplies the difficulty of promptly assembling and coordinating an experienced response team.
Progent offers a variety of help services for protecting Grand Rapids enterprises from ransomware penetrations. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities to rapidly detect and disable day-zero threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the skills and perseverance to reconstruct a breached environment as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to decrypt any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to piece back together the vital components of your Information Technology environment. Without the availability of full system backups, this requires a wide range of skill sets, professional team management, and the ability to work 24x7 until the job is completed.
For two decades, Progent has offered certified expert Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of experience gives Progent the capability to rapidly identify necessary systems and organize the surviving parts of your computer network environment after a ransomware event and assemble them into a functioning system.
Progent's ransomware team deploys powerful project management tools to coordinate the complex recovery process. Progent appreciates the importance of working swiftly and in concert with a client's management and Information Technology staff to prioritize tasks and to put critical applications back on-line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A business hired Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from the United States NSA organization. Ryuk targets specific businesses with limited ability to sustain operational disruption and is one of the most profitable versions of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and praying for the best, but in the end made the decision to use Progent.
"I canít thank you enough in regards to the expertise Progent gave us during the most stressful time of (our) companyís existence. We would have paid the cybercriminals except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and key applications back online quicker than one week was earth shattering. Each person I talked with or e-mailed at Progent was absolutely committed on getting our company operational and was working 24/7 on our behalf."
Progent worked with the client to quickly assess and prioritize the key areas that needed to be addressed in order to continue business operations:
To start, Progent adhered to AV/Malware Processes event mitigation best practices by halting the spread and disinfecting systems. Progent then started the process of restoring Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the businessesí accounting and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for security authorization to the database.
- Active Directory
- Exchange Server
Within 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then charged ahead with reinstallations and storage recovery on essential systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Off-Line Data Files) on team workstations in order to recover email information. A not too old off-line backup of the businesses accounting/MRP systems made them able to restore these essential programs back online. Although a lot of work needed to be completed to recover totally from the Ryuk attack, critical services were returned to operations quickly:
"For the most part, the production line operation survived unscathed and we made all customer orders."
During the following couple of weeks key milestones in the recovery project were achieved in tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control functions were 100% recovered.
- A new Palo Alto Networks 850 firewall was installed and configured.
- 90% of the desktop computers were back into operation.
"A huge amount of what went on during the initial response is mostly a fog for me, but I will not soon forget the dedication each and every one of the team accomplished to give us our business back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This event was the most impressive ever."
A likely business-killing catastrophe was dodged by top-tier experts, a wide range of technical expertise, and close teamwork. Although in post mortem the ransomware virus incident described here would have been stopped with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out incident response procedures for backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for making it so I could get some sleep after we got over the initial fire. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist