Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause harm. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as frequent unnamed malware, not only encrypt on-line files but also infect any available system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can render any restore operations impossible and effectively knocks the entire system back to zero.
Recovering applications and data after a ransomware intrusion becomes a race against the clock as the targeted organization fights to stop lateral movement and clear the ransomware and to resume mission-critical operations. Due to the fact that crypto-ransomware takes time to replicate, assaults are often sprung during weekends and nights, when attacks may take more time to recognize. This compounds the difficulty of promptly assembling and orchestrating a capable mitigation team.
Progent provides a range of support services for protecting Grand Rapids businesses from crypto-ransomware penetrations. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to identify and suppress zero-day modern malware attacks. Progent in addition offers the assistance of expert ransomware recovery professionals with the track record and perseverance to rebuild a compromised environment as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the codes to decipher all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to setup from scratch the key components of your Information Technology environment. Absent the availability of complete data backups, this calls for a wide complement of skill sets, top notch team management, and the willingness to work continuously until the task is completed.
For twenty years, Progent has offered certified expert IT services for companies throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience gives Progent the ability to quickly determine necessary systems and re-organize the remaining pieces of your network environment after a ransomware attack and assemble them into a functioning network.
Progent's ransomware team of experts utilizes powerful project management applications to coordinate the complicated restoration process. Progent understands the importance of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to put key services back on-line as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Incident Recovery
A business engaged Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state hackers, suspected of using techniques leaked from the United States NSA organization. Ryuk goes after specific businesses with little tolerance for operational disruption and is one of the most lucrative incarnations of ransomware viruses. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk event had brought down all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and hoping for the best, but in the end made the decision to use Progent.
"I can't tell you enough in regards to the expertise Progent provided us during the most stressful time of (our) company's survival. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important applications back on-line in less than five days was amazing. Every single consultant I worked with or communicated with at Progent was amazingly focused on getting my company operational and was working at all hours on our behalf."
Progent worked together with the client to quickly understand and assign priority to the mission critical elements that needed to be addressed to make it possible to continue departmental functions:
To begin, Progent adhered to ransomware incident mitigation best practices by halting the spread and cleaning systems of viruses. Progent then initiated the steps of bringing back online Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without AD, and the customer's financials and MRP software used Microsoft SQL, which depends on Active Directory services for authentication to the database.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished setup and storage recovery on essential servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on user PCs and laptops in order to recover mail data. A recent off-line backup of the businesses accounting systems made them able to return these required services back on-line. Although major work remained to recover completely from the Ryuk attack, critical systems were returned to operations quickly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer sales."
Over the following few weeks important milestones in the recovery project were achieved through tight collaboration between Progent engineers and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server with over four million archived emails was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the user desktops and notebooks were operational.
"A lot of what transpired in the early hours is nearly entirely a fog for me, but I will not forget the urgency each of you accomplished to help get our company back. I've utilized Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This event was a life saver."
A potential business extinction catastrophe was evaded with dedicated experts, a broad range of technical expertise, and tight collaboration. Although in post mortem the ransomware virus incident detailed here could have been identified and blocked with modern cyber security systems and recognized best practices, user training, and well designed security procedures for information backup and proper patching controls, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get rested after we made it over the initial fire. All of you did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Grand Rapids
For ransomware cleanup consulting in the Grand Rapids metro area, phone Progent at 800-462-8800 or go to Contact Progent.