Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that represents an existential threat for organizations unprepared for an assault. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, plus frequent as yet unnamed viruses, not only do encryption of on-line information but also infect most configured system restores and backups. Information synchronized to the cloud can also be corrupted. In a poorly architected environment, it can make any restore operations useless and basically sets the network back to zero.
Getting back online services and information after a crypto-ransomware intrusion becomes a sprint against time as the targeted organization tries its best to contain the damage and clear the ransomware and to restore mission-critical activity. Since ransomware needs time to spread, assaults are frequently launched during weekends and nights, when attacks are likely to take longer to recognize. This compounds the difficulty of quickly marshalling and coordinating a knowledgeable mitigation team.
Progent offers a variety of services for protecting Grand Rapids organizations from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence technology to quickly discover and quarantine zero-day threats. Progent also provides the services of seasoned crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a compromised environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decrypt any or all of your information. Kaspersky determined that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The alternative is to setup from scratch the essential components of your IT environment. Absent access to essential data backups, this calls for a broad range of skill sets, professional team management, and the capability to work 24x7 until the task is done.
For decades, Progent has offered professional Information Technology services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise affords Progent the capability to rapidly understand necessary systems and integrate the remaining parts of your network system following a crypto-ransomware penetration and rebuild them into an operational network.
Progent's ransomware team of experts utilizes state-of-the-art project management tools to coordinate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put critical services back on-line as soon as possible.
Customer Case Study: A Successful Ransomware Attack Recovery
A customer hired Progent after their network system was penetrated by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean state hackers, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most lucrative iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately utilized Progent.
"I canít say enough in regards to the expertise Progent provided us during the most fearful period of (our) companyís life. We may have had to pay the hackers behind this attack except for the confidence the Progent experts provided us. The fact that you were able to get our messaging and essential applications back on-line faster than a week was incredible. Every single staff member I spoke to or communicated with at Progent was laser focused on getting us restored and was working day and night on our behalf."
Progent worked with the client to quickly identify and assign priority to the critical services that needed to be recovered in order to continue company operations:
To begin, Progent adhered to ransomware event response industry best practices by isolating and clearing up compromised systems. Progent then initiated the steps of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory for authentication to the information.
- Active Directory
In less than two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery on mission critical systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops in order to recover mail data. A recent offline backup of the customerís accounting/ERP systems made it possible to restore these required services back online for users. Although major work remained to recover completely from the Ryuk event, the most important services were returned to operations quickly:
"For the most part, the manufacturing operation was never shut down and we made all customer shipments."
During the next couple of weeks critical milestones in the restoration process were made through close collaboration between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Server containing more than four million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were fully recovered.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user desktops were operational.
"So much of what was accomplished during the initial response is mostly a haze for me, but our team will not forget the urgency all of the team accomplished to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."
A likely business-killing disaster was avoided by top-tier experts, a wide range of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus attack detailed here would have been blocked with current security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well designed incident response procedures for data protection and applying software patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we got through the initial fire. Everyone did an impressive job, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist