Ransomware : Your Worst Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that presents an existential danger for businesses unprepared for an attack. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to inflict damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus frequent as yet unnamed newcomers, not only do encryption of online information but also infect many accessible system restores and backups. Data synched to cloud environments can also be rendered useless. In a vulnerable environment, it can render automatic restore operations hopeless and basically knocks the datacenter back to zero.
Getting back online services and data after a crypto-ransomware outage becomes a race against time as the victim struggles to stop the spread and clear the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware takes time to spread, attacks are often launched on weekends and holidays, when attacks are likely to take more time to discover. This compounds the difficulty of rapidly assembling and organizing a capable response team.
Progent makes available an assortment of support services for protecting Southfield businesses from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning technology to quickly identify and extinguish day-zero cyber threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the skills and commitment to restore a compromised environment as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decipher all your information. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to setup from scratch the key parts of your Information Technology environment. Without access to full information backups, this requires a wide range of skills, top notch team management, and the willingness to work non-stop until the recovery project is done.
For twenty years, Progent has provided expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the capability to efficiently understand critical systems and integrate the surviving components of your IT system after a ransomware event and assemble them into an operational system.
Progent's ransomware group uses top notch project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to get the most important systems back online as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Virus Response
A customer engaged Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, possibly using techniques exposed from Americaís National Security Agency. Ryuk attacks specific organizations with limited ability to sustain operational disruption and is one of the most profitable iterations of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and praying for the best, but ultimately called Progent.
"I cannot tell you enough in regards to the help Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the hackers behind this attack except for the confidence the Progent group provided us. That you could get our e-mail and critical servers back on-line quicker than a week was incredible. Every single person I got help from or communicated with at Progent was amazingly focused on getting us operational and was working at all hours on our behalf."
Progent worked with the client to quickly understand and prioritize the essential elements that needed to be addressed to make it possible to resume business operations:
To get going, Progent followed AV/Malware Processes event mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL Server, which requires Active Directory services for access to the information.
- Windows Active Directory
- Electronic Mail
Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then performed setup and storage recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on various workstations and laptops in order to recover mail information. A not too old off-line backup of the businesses accounting/ERP systems made it possible to return these vital programs back available to users. Although major work was left to recover completely from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the manufacturing operation never missed a beat and we made all customer shipments."
Throughout the following month key milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:
- In-house web sites were restored with no loss of data.
- The MailStore Server containing more than four million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully recovered.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the user workstations were operational.
"So much of what went on in the initial days is mostly a fog for me, but my management will not soon forget the commitment each of you accomplished to give us our company back. Iíve utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a Herculean accomplishment."
A probable company-ending catastrophe was evaded due to top-tier professionals, a wide range of technical expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here would have been identified and stopped with modern security technology and recognized best practices, user training, and well thought out incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for making it so I could get some sleep after we got over the initial push. Everyone did an incredible job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist