Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that poses an existential danger for organizations vulnerable to an assault. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with frequent as yet unnamed viruses, not only encrypt on-line data files but also infiltrate all accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make automatic recovery useless and effectively sets the network back to zero.
Retrieving services and information following a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain the damage and cleanup the ransomware and to restore mission-critical operations. Because ransomware takes time to replicate, assaults are usually sprung during weekends and nights, when successful penetrations tend to take longer to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable response team.
Progent offers an assortment of solutions for protecting Grand Rapids organizations from ransomware events. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to detect and disable zero-day malware attacks. Progent in addition provides the assistance of experienced ransomware recovery engineers with the track record and commitment to reconstruct a compromised network as soon as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to re-install the key elements of your Information Technology environment. Without the availability of complete data backups, this calls for a wide range of skills, professional project management, and the willingness to work 24x7 until the recovery project is done.
For two decades, Progent has made available professional Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience gives Progent the capability to efficiently understand critical systems and re-organize the surviving components of your Information Technology system following a ransomware attack and assemble them into a functioning system.
Progent's recovery team of experts uses best of breed project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of acting rapidly and together with a customer's management and IT staff to assign priority to tasks and to put the most important applications back on line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer sought out Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, suspected of adopting techniques exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited room for operational disruption and is among the most lucrative instances of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago and has about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but ultimately brought in Progent.
"I cannot thank you enough about the support Progent gave us throughout the most stressful time of (our) company's life. We may have had to pay the Hackers if not for the confidence the Progent group provided us. That you could get our messaging and production applications back faster than one week was earth shattering. Every single expert I interacted with or messaged at Progent was amazingly focused on getting us operational and was working 24/7 on our behalf."
Progent worked with the customer to quickly identify and assign priority to the essential services that had to be addressed in order to resume company functions:
To start, Progent followed AV/Malware Processes incident response best practices by stopping the spread and disinfecting systems. Progent then initiated the steps of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the customer's MRP software used Microsoft SQL, which needs Windows AD for access to the information.
- Active Directory (AD)
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on mission critical servers. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find intact OST files (Outlook Off-Line Data Files) on user PCs in order to recover mail information. A not too old off-line backup of the businesses accounting/MRP software made them able to recover these vital applications back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, critical systems were returned to operations rapidly:
"For the most part, the production manufacturing operation survived unscathed and we delivered all customer sales."
Throughout the next month key milestones in the recovery process were completed in close collaboration between Progent engineers and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than 4 million historical messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user desktops and notebooks were back into operation.
"Much of what happened those first few days is mostly a fog for me, but our team will not soon forget the countless hours all of the team put in to give us our company back. I have been working together with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."
A likely business-ending disaster was avoided due to hard-working experts, a broad range of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been identified and stopped with advanced cyber security solutions and recognized best practices, user and IT administrator training, and appropriate security procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we got through the most critical parts. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Grand Rapids
For ransomware system restoration expertise in the Grand Rapids area, phone Progent at 800-462-8800 or go to Contact Progent.