Ransomware : Your Worst Information Technology Disaster
Ransomware has become a too-frequent cyberplague that represents an existential danger for organizations poorly prepared for an attack. Versions of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus additional unnamed newcomers, not only encrypt on-line files but also infiltrate most configured system backup. Files synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can render any restoration impossible and basically knocks the entire system back to square one.
Recovering applications and information after a ransomware outage becomes a race against the clock as the targeted business tries its best to stop lateral movement and eradicate the ransomware and to restore enterprise-critical operations. Since ransomware takes time to move laterally, assaults are frequently sprung during nights and weekends, when attacks in many cases take more time to notice. This multiplies the difficulty of promptly mobilizing and organizing an experienced response team.
Progent has a variety of solutions for securing Dallas organizations from crypto-ransomware events. Among these are staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat defense to identify and extinguish day-zero modern malware assaults. Progent also can provide the assistance of seasoned ransomware recovery consultants with the skills and perseverance to restore a compromised network as soon as possible.
Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The fallback is to re-install the key parts of your IT environment. Without the availability of complete data backups, this calls for a wide range of skill sets, top notch project management, and the ability to work 24x7 until the task is done.
For decades, Progent has provided expert IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise gives Progent the capability to efficiently determine important systems and integrate the remaining components of your Information Technology environment after a crypto-ransomware attack and rebuild them into an operational network.
Progent's ransomware team has powerful project management applications to orchestrate the complicated recovery process. Progent understands the importance of working quickly and together with a customer's management and IT team members to assign priority to tasks and to put essential applications back on line as soon as possible.
Case Study: A Successful Ransomware Incident Response
A client hired Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state sponsored hackers, suspected of using strategies leaked from the U.S. NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is among the most profitable instances of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were encrypted. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately utilized Progent.
"I cannot tell you enough about the care Progent provided us throughout the most critical period of (our) businesses existence. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent group gave us. The fact that you were able to get our messaging and important servers back online sooner than a week was incredible. Every single consultant I got help from or texted at Progent was amazingly focused on getting us back on-line and was working 24/7 on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the key elements that needed to be restored to make it possible to continue business operations:
To get going, Progent followed ransomware incident mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then initiated the task of recovering Microsoft AD, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the customer's MRP system utilized Microsoft SQL Server, which needs Windows AD for security authorization to the information.
- Windows Active Directory
- Microsoft Exchange Email
- MRP System
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then performed reinstallations and storage recovery on critical applications. All Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Offline Data Files) on staff desktop computers and laptops to recover email data. A recent off-line backup of the client's accounting software made it possible to restore these required applications back online. Although a large amount of work remained to recover completely from the Ryuk virus, core systems were recovered quickly:
"For the most part, the assembly line operation never missed a beat and we made all customer deliverables."
During the following couple of weeks important milestones in the recovery process were made in tight collaboration between Progent consultants and the client:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Server containing more than 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely recovered.
- A new Palo Alto Networks 850 firewall was set up.
- Nearly all of the user PCs were operational.
"So much of what happened those first few days is mostly a fog for me, but my management will not forget the countless hours each of your team accomplished to help get our business back. I've utilized Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This situation was the most impressive ever."
A potential business-killing catastrophe was dodged through the efforts of results-oriented professionals, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the ransomware virus penetration described here should have been blocked with up-to-date security technology and NIST Cybersecurity Framework best practices, user education, and appropriate incident response procedures for backup and applying software patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for allowing me to get rested after we made it through the initial fire. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Dallas
For ransomware system recovery consulting in the Dallas metro area, phone Progent at 800-462-8800 or go to Contact Progent.