Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an existential danger for organizations poorly prepared for an assault. Different versions of ransomware such as Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed malware, not only do encryption of on-line data files but also infect most configured system backups. Information synched to the cloud can also be corrupted. In a poorly architected environment, this can make automated recovery useless and basically knocks the datacenter back to square one.
Retrieving applications and information following a ransomware event becomes a race against the clock as the victim fights to contain and cleanup the ransomware and to resume mission-critical operations. Because crypto-ransomware needs time to spread, assaults are frequently sprung on weekends, when attacks tend to take more time to uncover. This multiplies the difficulty of promptly marshalling and orchestrating a knowledgeable mitigation team.
Progent makes available a range of support services for securing Salt Lake City enterprises from crypto-ransomware penetrations. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat defense to identify and extinguish day-zero modern malware attacks. Progent also can provide the services of seasoned crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as urgently as possible.
Progent's Ransomware Restoration Help
After a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The other path is to piece back together the mission-critical parts of your IT environment. Absent access to full data backups, this calls for a wide complement of IT skills, well-coordinated team management, and the ability to work 24x7 until the job is finished.
For two decades, Progent has made available professional Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise affords Progent the skills to quickly identify necessary systems and consolidate the remaining parts of your network environment after a ransomware attack and assemble them into a functioning network.
Progent's ransomware team deploys state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the importance of working swiftly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get the most important systems back online as fast as possible.
Business Case Study: A Successful Ransomware Incident Response
A business escalated to Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored hackers, possibly using strategies leaked from the United States National Security Agency. Ryuk seeks specific organizations with little room for operational disruption and is one of the most lucrative versions of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.
"I can't tell you enough about the care Progent provided us during the most fearful time of (our) company's survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important applications back online faster than one week was beyond my wildest dreams. Each consultant I got help from or texted at Progent was urgently focused on getting our company operational and was working all day and night on our behalf."
Progent worked together with the client to rapidly identify and prioritize the most important applications that had to be addressed in order to restart business functions:
To get going, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and performing virus removal steps. Progent then began the work of rebuilding Microsoft AD, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the customer's accounting and MRP applications used SQL Server, which needs Active Directory services for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to re-build Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on mission critical applications. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find intact OST files (Outlook Offline Data Files) on user desktop computers and laptops to recover email data. A recent off-line backup of the client's accounting/MRP systems made it possible to recover these required services back servicing users. Although significant work needed to be completed to recover completely from the Ryuk damage, critical services were recovered rapidly:
"For the most part, the production operation did not miss a beat and we made all customer orders."
During the following month important milestones in the restoration process were accomplished in close cooperation between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were completely operational.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the desktops and laptops were functioning as before the incident.
"Much of what happened those first few days is nearly entirely a fog for me, but our team will not soon forget the commitment each and every one of your team put in to help get our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This situation was the most impressive ever."
A potential business catastrophe was averted due to hard-working professionals, a wide array of technical expertise, and tight collaboration. Although in post mortem the ransomware incident described here would have been identified and stopped with advanced security technology and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for backup and proper patching controls, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we made it through the initial fire. All of you did an amazing job, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Salt Lake City
For ransomware cleanup consulting services in the Salt Lake City area, call Progent at 800-462-8800 or see Contact Progent.