Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more unnamed malware, not only do encryption of online data files but also infiltrate any available system restores and backups. Data synched to cloud environments can also be encrypted. In a poorly designed system, it can render automatic restore operations useless and effectively knocks the network back to square one.
Retrieving services and data after a crypto-ransomware event becomes a sprint against the clock as the targeted business fights to contain and cleanup the virus and to resume business-critical activity. Because ransomware takes time to move laterally, assaults are frequently sprung at night, when successful penetrations in many cases take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable response team.
Progent makes available an assortment of solutions for protecting Colorado Springs enterprises from crypto-ransomware events. These include staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based threat protection to identify and suppress day-zero malware attacks. Progent in addition offers the services of veteran crypto-ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the needed keys to decipher any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The fallback is to re-install the vital elements of your Information Technology environment. Without access to complete information backups, this requires a broad complement of skill sets, professional team management, and the willingness to work 24x7 until the recovery project is done.
For decades, Progent has made available expert IT services for businesses throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience provides Progent the ability to quickly determine important systems and organize the surviving pieces of your IT environment following a ransomware event and configure them into a functioning network.
Progent's recovery team of experts uses best of breed project management applications to coordinate the complex restoration process. Progent knows the urgency of working swiftly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put essential systems back on-line as fast as possible.
Client Case Study: A Successful Ransomware Incident Restoration
A customer escalated to Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, possibly using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most lucrative examples of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's data backups had been online at the start of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and praying for good luck, but in the end reached out to Progent.
"I can't tell you enough about the help Progent provided us during the most fearful time of (our) businesses survival. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent experts afforded us. The fact that you could get our e-mail system and important applications back on-line faster than one week was something I thought impossible. Each person I got help from or texted at Progent was amazingly focused on getting our company operational and was working at all hours on our behalf."
Progent worked with the customer to quickly get our arms around and prioritize the essential services that needed to be recovered to make it possible to continue company functions:
To start, Progent followed Anti-virus incident mitigation best practices by halting lateral movement and removing active viruses. Progent then began the work of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange email will not work without Active Directory, and the customer's financials and MRP applications utilized Microsoft SQL, which requires Active Directory for security authorization to the information.
- Microsoft Active Directory
- Electronic Messaging
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then charged ahead with setup and storage recovery on needed systems. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various desktop computers in order to recover mail information. A recent offline backup of the customer's accounting/MRP systems made it possible to return these essential applications back available to users. Although significant work remained to recover fully from the Ryuk attack, essential services were restored rapidly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."
During the next few weeks key milestones in the restoration project were achieved through tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory Control functions were 100% operational.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the user desktops and notebooks were operational.
"So much of what happened those first few days is nearly entirely a fog for me, but I will not forget the dedication all of your team accomplished to help get our company back. I've been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was a Herculean accomplishment."
A likely business-killing catastrophe was avoided with hard-working experts, a broad array of knowledge, and tight teamwork. Although in post mortem the ransomware virus penetration described here would have been identified and prevented with advanced security technology and recognized best practices, user and IT administrator education, and well thought out security procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we made it over the initial fire. Everyone did an incredible job, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Expertise in Colorado Springs
For ransomware recovery consulting services in the Colorado Springs metro area, call Progent at 800-462-8800 or see Contact Progent.