Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and still cause havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, along with daily as yet unnamed newcomers, not only encrypt on-line information but also infect most configured system backups. Files synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can make any restore operations useless and basically knocks the entire system back to zero.
Retrieving applications and data following a ransomware event becomes a sprint against the clock as the victim struggles to contain and remove the ransomware and to resume enterprise-critical activity. Since ransomware needs time to spread, attacks are frequently sprung on weekends and holidays, when attacks may take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable response team.
Progent makes available an assortment of support services for protecting Dayton businesses from ransomware attacks. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning capabilities to quickly detect and suppress zero-day cyber threats. Progent also offers the services of veteran ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the keys to unencrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The other path is to re-install the vital components of your Information Technology environment. Without access to essential data backups, this requires a broad range of skill sets, professional project management, and the ability to work continuously until the recovery project is finished.
For twenty years, Progent has provided expert IT services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of experience affords Progent the ability to rapidly understand necessary systems and consolidate the remaining pieces of your computer network system after a ransomware attack and rebuild them into an operational network.
Progent's security team of experts has state-of-the-art project management tools to orchestrate the sophisticated restoration process. Progent appreciates the importance of working swiftly and together with a client's management and IT team members to assign priority to tasks and to get the most important systems back on line as fast as humanly possible.
Case Study: A Successful Ransomware Attack Restoration
A business sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored criminal gangs, possibly adopting technology leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago and has around 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but in the end engaged Progent.
"I cannot tell you enough in regards to the care Progent gave us throughout the most fearful period of (our) businesses survival. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our messaging and essential applications back quicker than one week was something I thought impossible. Every single expert I talked with or e-mailed at Progent was amazingly focused on getting us back on-line and was working all day and night to bail us out."
Progent worked hand in hand the customer to quickly understand and prioritize the essential elements that needed to be recovered in order to continue departmental operations:
To start, Progent adhered to Anti-virus incident mitigation industry best practices by isolating and disinfecting systems. Progent then started the process of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not operate without AD, and the client's accounting and MRP software utilized SQL Server, which depends on Windows AD for security authorization to the databases.
- Windows Active Directory
- Electronic Messaging
Within two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of mission critical applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Data Files) on various desktop computers to recover mail data. A recent off-line backup of the businesses accounting/MRP software made them able to return these vital services back servicing users. Although a large amount of work remained to recover fully from the Ryuk event, critical systems were restored rapidly:
"For the most part, the manufacturing operation showed little impact and we made all customer deliverables."
Throughout the next few weeks key milestones in the recovery process were made in tight collaboration between Progent team members and the client:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the desktop computers were being used by staff.
"A huge amount of what occurred in the early hours is mostly a fog for me, but my team will not soon forget the countless hours all of the team accomplished to help get our company back. Iíve been working with Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This event was a life saver."
A likely company-ending disaster was evaded due to dedicated experts, a broad array of technical expertise, and close teamwork. Although in post mortem the crypto-ransomware virus attack described here could have been prevented with modern cyber security technology and ISO/IEC 27001 best practices, staff education, and appropriate security procedures for information protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for making it so I could get rested after we got over the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist