Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to cause damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with more unnamed newcomers, not only encrypt on-line data but also infiltrate most configured system protection. Data replicated to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can render automated restoration impossible and effectively sets the network back to square one.
Retrieving services and data after a ransomware event becomes a sprint against time as the victim struggles to contain the damage and remove the ransomware and to resume mission-critical activity. Because crypto-ransomware needs time to move laterally, attacks are frequently launched at night, when successful attacks are likely to take more time to discover. This compounds the difficulty of promptly assembling and orchestrating an experienced response team.
Progent offers a range of solutions for protecting Des Moines businesses from ransomware events. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based threat defense to identify and extinguish zero-day malware attacks. Progent in addition offers the services of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The other path is to re-install the key elements of your IT environment. Absent the availability of complete information backups, this requires a broad range of IT skills, professional team management, and the willingness to work 24x7 until the task is done.
For decades, Progent has offered certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly determine necessary systems and organize the remaining pieces of your computer network system following a ransomware penetration and rebuild them into a functioning network.
Progent's security team has state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of working quickly and in unison with a customer's management and IT team members to assign priority to tasks and to get key systems back on line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Recovery
A small business hired Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored hackers, possibly using strategies leaked from America's National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (exceeding $200K) and praying for good luck, but in the end called Progent.
"I cannot say enough in regards to the expertise Progent provided us throughout the most fearful period of (our) company's existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent group gave us. That you could get our e-mail and production servers back on-line in less than one week was beyond my wildest dreams. Each person I talked with or e-mailed at Progent was absolutely committed on getting our company operational and was working at all hours on our behalf."
Progent worked with the client to quickly identify and prioritize the mission critical services that needed to be restored in order to resume departmental functions:
To start, Progent followed ransomware incident mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the task of restoring Microsoft AD, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customer's accounting and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for access to the information.
- Windows Active Directory
- MRP System
In less than 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed reinstallations and hard drive recovery of mission critical systems. All Exchange Server data and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers in order to recover mail data. A not too old off-line backup of the businesses manufacturing systems made them able to restore these essential programs back online for users. Although major work was left to recover totally from the Ryuk damage, essential systems were restored quickly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer orders."
During the following few weeks critical milestones in the restoration project were accomplished in tight collaboration between Progent engineers and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto 850 firewall was brought on-line.
- Nearly all of the user desktops and notebooks were being used by staff.
"A lot of what occurred that first week is nearly entirely a haze for me, but our team will not soon forget the urgency all of the team accomplished to help get our company back. I've been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was the most impressive ever."
A possible business-killing catastrophe was averted by top-tier professionals, a wide array of knowledge, and tight collaboration. Although in hindsight the ransomware virus incident described here should have been stopped with up-to-date security solutions and security best practices, staff education, and properly executed security procedures for information backup and proper patching controls, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for allowing me to get rested after we got over the first week. Everyone did an fabulous effort, and if anyone is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Des Moines
For ransomware cleanup consulting services in the Des Moines metro area, phone Progent at 800-462-8800 or see Contact Progent.