Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyberplague that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, plus daily unnamed newcomers, not only do encryption of online critical data but also infiltrate any configured system backups. Information synchronized to the cloud can also be encrypted. In a poorly architected system, this can make automated recovery impossible and effectively sets the entire system back to zero.
Retrieving services and data after a ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and clear the virus and to resume mission-critical operations. Because crypto-ransomware takes time to replicate, attacks are often launched during nights and weekends, when penetrations in many cases take longer to uncover. This multiplies the difficulty of promptly assembling and organizing a knowledgeable mitigation team.
Progent has a variety of services for securing Dayton enterprises from ransomware events. Among these are team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with AI technology to intelligently detect and extinguish day-zero cyber threats. Progent also offers the assistance of veteran ransomware recovery consultants with the skills and perseverance to restore a compromised network as urgently as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to unencrypt all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to setup from scratch the essential components of your Information Technology environment. Without access to complete information backups, this calls for a wide complement of IT skills, top notch project management, and the capability to work continuously until the task is completed.
For twenty years, Progent has made available expert IT services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently determine necessary systems and organize the surviving components of your computer network environment following a ransomware event and rebuild them into a functioning system.
Progent's recovery team deploys state-of-the-art project management systems to coordinate the complex restoration process. Progent knows the urgency of working quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put key services back online as fast as humanly possible.
Client Story: A Successful Ransomware Virus Recovery
A small business escalated to Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state hackers, suspected of adopting strategies exposed from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is among the most profitable versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.
"I canít tell you enough in regards to the help Progent gave us throughout the most fearful time of (our) companyís survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. The fact that you were able to get our messaging and key servers back in less than one week was something I thought impossible. Every single person I spoke to or messaged at Progent was laser focused on getting us back on-line and was working non-stop to bail us out."
Progent worked hand in hand the client to quickly determine and assign priority to the critical systems that had to be recovered in order to resume departmental functions:
To start, Progent followed Anti-virus incident response best practices by isolating and removing active viruses. Progent then started the process of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí accounting and MRP applications used Microsoft SQL, which requires Active Directory for access to the database.
- Windows Active Directory
- Microsoft Exchange Server
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery of key servers. All Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Data Files) on user PCs in order to recover email data. A recent offline backup of the customerís financials/ERP systems made them able to recover these required services back online. Although a large amount of work was left to recover completely from the Ryuk attack, the most important services were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer orders."
Throughout the next month important milestones in the restoration process were completed in close collaboration between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100% restored.
- A new Palo Alto 850 firewall was installed and configured.
- 90% of the user PCs were back into operation.
"So much of what happened during the initial response is nearly entirely a fog for me, but I will not forget the urgency all of the team put in to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This time was a Herculean accomplishment."
A probable company-ending disaster was avoided through the efforts of top-tier experts, a broad array of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus attack described here could have been disabled with modern cyber security solutions and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for allowing me to get rested after we made it through the initial fire. Everyone did an fabulous effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist