Ransomware : Your Crippling IT Disaster
Ransomware has become a too-frequent cyber pandemic that represents an existential danger for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict damage. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate all accessible system protection. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can render any recovery useless and effectively knocks the entire system back to zero.
Getting back online programs and information after a ransomware outage becomes a race against the clock as the victim fights to contain the damage and remove the ransomware and to resume mission-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are often sprung on weekends, when successful attacks tend to take longer to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent has a range of services for securing Southfield enterprises from ransomware attacks. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and extinguish day-zero modern malware attacks. Progent in addition offers the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a breached network as soon as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will respond with the codes to unencrypt all your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The alternative is to piece back together the critical elements of your Information Technology environment. Absent access to full information backups, this calls for a wide range of IT skills, professional project management, and the willingness to work 24x7 until the recovery project is over.
For two decades, Progent has provided expert IT services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience gives Progent the ability to rapidly ascertain important systems and integrate the remaining parts of your computer network system after a ransomware penetration and assemble them into an operational system.
Progent's recovery team has best of breed project management applications to coordinate the complex restoration process. Progent understands the importance of acting quickly and together with a client's management and IT team members to assign priority to tasks and to get essential services back online as soon as possible.
Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting techniques exposed from America's NSA organization. Ryuk attacks specific companies with little room for operational disruption and is among the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with around 500 employees. The Ryuk intrusion had disabled all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the attack and were destroyed. The client considered paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately reached out to Progent.
"I can't thank you enough in regards to the expertise Progent provided us throughout the most fearful period of (our) company's survival. We may have had to pay the Hackers if not for the confidence the Progent team gave us. The fact that you could get our messaging and key servers back into operation quicker than 1 week was earth shattering. Every single person I worked with or texted at Progent was totally committed on getting us back online and was working day and night to bail us out."
Progent worked together with the customer to quickly assess and assign priority to the key elements that needed to be recovered in order to continue company operations:
To start, Progent adhered to ransomware incident mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then began the process of restoring Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Active Directory, and the businesses' financials and MRP software used Microsoft SQL Server, which depends on Active Directory services for authentication to the data.
- Windows Active Directory
- Electronic Mail
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery on mission critical applications. All Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Folder Files) on team workstations to recover email messages. A not too old offline backup of the customer's financials/ERP systems made it possible to return these required programs back on-line. Although significant work remained to recover completely from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production operation showed little impact and we did not miss any customer deliverables."
Throughout the following few weeks key milestones in the restoration process were made in tight collaboration between Progent team members and the client:
- In-house web applications were returned to operation without losing any information.
- The MailStore Server exceeding four million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were completely recovered.
- A new Palo Alto 850 security appliance was installed.
- Ninety percent of the user workstations were fully operational.
"Much of what happened during the initial response is nearly entirely a haze for me, but we will not forget the care each and every one of your team accomplished to help get our company back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This time was no exception but maybe more Herculean."
A possible business-killing catastrophe was averted with dedicated professionals, a broad array of IT skills, and close teamwork. Although in post mortem the crypto-ransomware virus penetration described here should have been identified and stopped with modern security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate incident response procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we made it over the initial fire. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Southfield
For ransomware system restoration consulting services in the Southfield area, call Progent at 800-462-8800 or go to Contact Progent.