Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become a modern cyber pandemic that poses an extinction-level danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as frequent as yet unnamed malware, not only encrypt on-line data files but also infiltrate any accessible system protection. Data synched to the cloud can also be encrypted. In a poorly designed environment, this can make automated recovery useless and effectively knocks the network back to zero.
Getting back on-line services and data following a ransomware intrusion becomes a race against time as the victim tries its best to stop lateral movement and clear the crypto-ransomware and to resume business-critical activity. Because crypto-ransomware takes time to spread, attacks are often sprung at night, when attacks in many cases take more time to uncover. This multiplies the difficulty of promptly marshalling and organizing a capable mitigation team.
Progent provides a variety of support services for securing Manaus organizations from crypto-ransomware events. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security appliances with AI capabilities to intelligently detect and extinguish day-zero cyber attacks. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as soon as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decipher any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to re-install the critical parts of your Information Technology environment. Absent the availability of complete information backups, this requires a wide complement of IT skills, professional project management, and the capability to work 24x7 until the job is finished.
For twenty years, Progent has made available expert IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience affords Progent the ability to efficiently understand necessary systems and integrate the remaining pieces of your computer network environment following a ransomware penetration and assemble them into a functioning system.
Progent's security team of experts utilizes best of breed project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of working rapidly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to get the most important systems back online as fast as possible.
Customer Story: A Successful Ransomware Penetration Restoration
A small business contacted Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly adopting technology leaked from Americaís National Security Agency. Ryuk goes after specific companies with little ability to sustain disruption and is one of the most profitable versions of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the help Progent gave us during the most stressful period of (our) businesses survival. We most likely would have paid the cyber criminals if not for the confidence the Progent team gave us. The fact that you were able to get our messaging and important applications back online in less than one week was earth shattering. Each expert I interacted with or e-mailed at Progent was absolutely committed on getting us working again and was working day and night to bail us out."
Progent worked together with the client to rapidly assess and assign priority to the critical systems that had to be recovered in order to restart business functions:
To begin, Progent followed Anti-virus incident response best practices by stopping the spread and clearing up compromised systems. Progent then started the process of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the customerís accounting and MRP applications utilized Microsoft SQL, which needs Windows AD for access to the data.
- Windows Active Directory
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and hard drive recovery on mission critical systems. All Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Offline Data Files) on team workstations to recover mail messages. A not too old off-line backup of the client's accounting/MRP software made them able to restore these essential applications back online for users. Although major work remained to recover completely from the Ryuk attack, essential services were returned to operations rapidly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer orders."
During the following month important milestones in the recovery process were achieved in tight cooperation between Progent consultants and the client:
- In-house web sites were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully recovered.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Nearly all of the desktop computers were back into operation.
"A huge amount of what happened that first week is mostly a fog for me, but we will not soon forget the care each of you put in to give us our company back. I have trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."
A probable company-ending catastrophe was averted through the efforts of results-oriented professionals, a broad array of knowledge, and close collaboration. Although in hindsight the crypto-ransomware penetration described here would have been disabled with up-to-date cyber security solutions and best practices, user training, and well designed security procedures for backup and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for letting me get some sleep after we made it through the first week. All of you did an impressive job, and if anyone is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist