Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyber pandemic that poses an existential danger for organizations poorly prepared for an assault. Different iterations of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still cause destruction. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with more unnamed malware, not only encrypt online data but also infiltrate any available system backup. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can render automated restoration useless and effectively knocks the datacenter back to zero.
Restoring applications and information after a crypto-ransomware attack becomes a sprint against time as the targeted organization tries its best to stop the spread and eradicate the ransomware and to restore enterprise-critical operations. Due to the fact that ransomware takes time to spread, assaults are often sprung at night, when penetrations typically take more time to recognize. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.
Progent has a range of services for securing Dayton organizations from crypto-ransomware events. Among these are team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning technology to automatically identify and suppress new threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and commitment to re-deploy a breached environment as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the codes to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to re-install the vital components of your IT environment. Absent access to complete system backups, this requires a wide complement of skills, top notch project management, and the capability to work 24x7 until the task is complete.
For two decades, Progent has provided certified expert IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly determine critical systems and consolidate the remaining components of your Information Technology system after a ransomware attack and configure them into a functioning network.
Progent's security group utilizes best of breed project management systems to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT resources to prioritize tasks and to put essential applications back online as fast as possible.
Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A customer escalated to Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, suspected of using algorithms exposed from the United States National Security Agency. Ryuk targets specific businesses with little or no ability to sustain disruption and is among the most lucrative examples of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk penetration had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but in the end brought in Progent.
"I canít tell you enough in regards to the care Progent gave us throughout the most stressful period of (our) companyís life. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent group gave us. The fact that you were able to get our messaging and key servers back on-line faster than five days was something I thought impossible. Each expert I interacted with or communicated with at Progent was hell bent on getting us restored and was working day and night on our behalf."
Progent worked hand in hand the customer to rapidly understand and prioritize the most important applications that needed to be recovered to make it possible to resume company operations:
To start, Progent followed Anti-virus penetration response best practices by stopping the spread and cleaning up infected systems. Progent then started the work of restoring Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí financials and MRP applications leveraged SQL Server, which needs Active Directory for authentication to the information.
- Active Directory
- Microsoft Exchange
In less than 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of the most important applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST data files (Outlook Email Offline Data Files) on team workstations in order to recover email information. A recent offline backup of the client's accounting/MRP systems made it possible to restore these essential programs back servicing users. Although a large amount of work was left to recover completely from the Ryuk event, essential systems were restored rapidly:
"For the most part, the assembly line operation showed little impact and we did not miss any customer sales."
During the next few weeks important milestones in the recovery process were accomplished in tight cooperation between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were fully operational.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the user desktops were functioning as before the incident.
"A lot of what transpired during the initial response is nearly entirely a blur for me, but my management will not forget the urgency each of the team put in to help get our business back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."
A probable business extinction disaster was averted with dedicated experts, a wide range of knowledge, and close teamwork. Although in retrospect the crypto-ransomware virus attack detailed here would have been identified and stopped with advanced security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for allowing me to get some sleep after we made it through the first week. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Dayton
For ransomware system recovery expertise in the Dayton area, call Progent at 800-462-8800 or go to Contact Progent.