Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a modern cyberplague that represents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus more as yet unnamed viruses, not only encrypt on-line files but also infiltrate all available system restores and backups. Information synched to the cloud can also be encrypted. In a vulnerable system, it can render automatic restoration useless and effectively knocks the datacenter back to zero.
Restoring applications and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to stop the spread and eradicate the virus and to resume business-critical activity. Due to the fact that ransomware takes time to replicate, penetrations are often sprung on weekends, when attacks may take longer to notice. This compounds the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.
Progent provides a variety of services for protecting Grand Rapids organizations from ransomware attacks. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of modern security gateways with machine learning capabilities to rapidly identify and suppress new cyber attacks. Progent in addition can provide the services of experienced crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware penetration, sending the ransom in cryptocurrency does not ensure that merciless criminals will return the needed codes to decipher any of your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to piece back together the essential components of your IT environment. Without the availability of full data backups, this requires a wide complement of skill sets, top notch project management, and the capability to work continuously until the recovery project is completed.
For two decades, Progent has offered expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably understand important systems and consolidate the remaining parts of your network environment after a crypto-ransomware attack and configure them into an operational system.
Progent's ransomware team has state-of-the-art project management tools to coordinate the complicated recovery process. Progent knows the urgency of working swiftly and together with a customerís management and Information Technology resources to prioritize tasks and to get critical systems back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Incident Response
A client escalated to Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored cybercriminals, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with limited ability to sustain operational disruption and is among the most profitable instances of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were destroyed. The client considered paying the ransom (more than $200K) and praying for the best, but ultimately reached out to Progent.
"I canít tell you enough in regards to the help Progent provided us throughout the most critical time of (our) businesses existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our messaging and important applications back online quicker than 1 week was amazing. Each expert I interacted with or e-mailed at Progent was laser focused on getting us operational and was working day and night to bail us out."
Progent worked hand in hand the client to quickly identify and prioritize the critical services that needed to be addressed to make it possible to continue company functions:
To start, Progent adhered to Anti-virus incident response industry best practices by halting the spread and removing active viruses. Progent then initiated the process of rebuilding Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the customerís MRP software leveraged Microsoft SQL, which depends on Active Directory services for access to the databases.
- Windows Active Directory
- Microsoft Exchange Email
Within 48 hours, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on mission critical servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST data files (Outlook Off-Line Folder Files) on team desktop computers to recover email information. A not too old offline backup of the businesses financials/MRP software made them able to restore these required services back on-line. Although significant work was left to recover completely from the Ryuk damage, critical services were restored rapidly:
"For the most part, the manufacturing operation survived unscathed and we delivered all customer deliverables."
During the next month critical milestones in the recovery project were completed through close collaboration between Progent team members and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Exchange Server containing more than four million historical emails was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent restored.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user workstations were operational.
"A lot of what happened that first week is nearly entirely a fog for me, but we will not forget the commitment each of the team put in to give us our business back. Iíve trusted Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This situation was a Herculean accomplishment."
A possible business-ending disaster was avoided with hard-working experts, a broad array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack detailed here should have been identified and stopped with advanced security technology and security best practices, team education, and appropriate incident response procedures for information protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it over the initial push. All of you did an incredible effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist