Ransomware : Your Worst IT Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses unprepared for an attack. Different versions of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, along with more as yet unnamed newcomers, not only encrypt on-line information but also infect all accessible system backups. Information replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, this can render automatic restoration hopeless and basically sets the network back to square one.
Restoring applications and information after a crypto-ransomware attack becomes a race against time as the targeted organization fights to contain and cleanup the crypto-ransomware and to restore mission-critical operations. Because ransomware takes time to move laterally, attacks are often launched at night, when successful penetrations are likely to take more time to detect. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.
Progent provides a variety of help services for securing Dallas organizations from ransomware events. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat defense to detect and disable zero-day modern malware attacks. Progent in addition provides the services of seasoned crypto-ransomware recovery engineers with the talent and commitment to restore a compromised system as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to decrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The fallback is to re-install the mission-critical elements of your Information Technology environment. Without the availability of full data backups, this requires a broad range of skills, top notch team management, and the ability to work continuously until the task is complete.
For two decades, Progent has offered certified expert Information Technology services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the capability to rapidly identify critical systems and re-organize the remaining components of your IT environment following a ransomware event and configure them into an operational network.
Progent's security team uses powerful project management applications to orchestrate the complex recovery process. Progent knows the urgency of working quickly and together with a customer's management and IT team members to prioritize tasks and to put critical applications back online as soon as possible.
Customer Story: A Successful Ransomware Incident Restoration
A customer engaged Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk seeks specific companies with limited room for disruption and is one of the most profitable examples of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with around 500 employees. The Ryuk event had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I can't say enough in regards to the help Progent gave us during the most stressful time of (our) company's life. We would have paid the criminal gangs except for the confidence the Progent team afforded us. That you could get our e-mail and critical applications back quicker than 1 week was incredible. Each person I worked with or communicated with at Progent was totally committed on getting my company operational and was working 24 by 7 to bail us out."
Progent worked with the customer to quickly understand and prioritize the critical applications that had to be addressed in order to continue company operations:
To start, Progent followed ransomware penetration mitigation industry best practices by isolating and performing virus removal steps. Progent then initiated the work of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businesses' financials and MRP applications used Microsoft SQL, which depends on Active Directory services for authentication to the database.
- Active Directory (AD)
- Microsoft Exchange Server
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and hard drive recovery of the most important systems. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Folder Files) on team desktop computers and laptops in order to recover mail data. A recent offline backup of the customer's financials/MRP systems made them able to recover these vital applications back available to users. Although major work still had to be done to recover totally from the Ryuk damage, essential services were restored quickly:
"For the most part, the production line operation survived unscathed and we delivered all customer orders."
During the next couple of weeks important milestones in the recovery process were made through close collaboration between Progent engineers and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Server with over four million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control capabilities were 100% operational.
- A new Palo Alto 850 firewall was installed.
- 90% of the user desktops and notebooks were operational.
"A huge amount of what occurred that first week is nearly entirely a blur for me, but I will not forget the urgency each and every one of the team put in to help get our company back. I've utilized Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This event was a stunning achievement."
A possible enterprise-killing catastrophe was evaded through the efforts of results-oriented professionals, a wide array of knowledge, and tight collaboration. Although in retrospect the crypto-ransomware incident described here would have been shut down with modern security technology solutions and recognized best practices, user training, and well designed security procedures for backup and applying software patches, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, remediation, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I'm grateful for allowing me to get some sleep after we got through the initial fire. All of you did an impressive effort, and if anyone that helped is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Dallas
For ransomware system restoration services in the Dallas area, phone Progent at 800-462-8800 or go to Contact Progent.