Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses unprepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as frequent unnamed malware, not only encrypt online information but also infiltrate any configured system protection mechanisms. Data replicated to the cloud can also be corrupted. In a poorly architected environment, this can make any restoration impossible and basically sets the network back to square one.
Retrieving programs and information following a ransomware attack becomes a sprint against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to move laterally, penetrations are often sprung on weekends, when penetrations tend to take more time to identify. This multiplies the difficulty of promptly assembling and organizing a capable response team.
Progent provides a range of solutions for protecting Salem organizations from ransomware attacks. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning technology to rapidly discover and suppress new cyber attacks. Progent in addition can provide the services of seasoned ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as urgently as possible.
Progent's Ransomware Restoration Support Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will return the needed codes to decrypt any of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to re-install the key parts of your IT environment. Without the availability of essential system backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work non-stop until the task is over.
For twenty years, Progent has provided certified expert IT services for companies across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise affords Progent the ability to rapidly understand important systems and integrate the surviving parts of your IT system after a crypto-ransomware attack and configure them into an operational network.
Progent's ransomware group utilizes state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the importance of acting quickly and in unison with a customerís management and IT team members to assign priority to tasks and to get critical systems back on-line as soon as possible.
Case Study: A Successful Ransomware Intrusion Response
A client hired Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state hackers, possibly adopting strategies leaked from Americaís NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most lucrative instances of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the care Progent provided us during the most critical period of (our) businesses life. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent experts afforded us. That you were able to get our e-mail system and critical applications back on-line faster than one week was amazing. Every single staff member I talked with or communicated with at Progent was urgently focused on getting us working again and was working day and night to bail us out."
Progent worked hand in hand the customer to rapidly identify and prioritize the most important areas that had to be addressed to make it possible to restart business functions:
To get going, Progent followed Anti-virus event mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the task of rebuilding Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí MRP system leveraged SQL Server, which requires Active Directory services for authentication to the information.
- Active Directory
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then performed rebuilding and hard drive recovery of needed applications. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on user workstations and laptops in order to recover mail data. A not too old off-line backup of the businesses accounting/ERP software made it possible to restore these required services back servicing users. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important systems were recovered quickly:
"For the most part, the assembly line operation survived unscathed and we made all customer deliverables."
Over the following couple of weeks key milestones in the recovery project were completed through tight cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent operational.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user PCs were operational.
"So much of what was accomplished that first week is nearly entirely a haze for me, but our team will not forget the dedication all of your team put in to give us our business back. I have utilized Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This event was a stunning achievement."
A potential business-killing catastrophe was avoided by dedicated experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the ransomware incident described here would have been stopped with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it through the most critical parts. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist