Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses poorly prepared for an assault. Versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, plus more unnamed newcomers, not only encrypt online critical data but also infiltrate most accessible system restores and backups. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can render any recovery impossible and basically knocks the network back to square one.
Retrieving services and data after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain the damage and cleanup the crypto-ransomware and to resume business-critical activity. Due to the fact that ransomware requires time to spread, penetrations are usually launched at night, when penetrations are likely to take more time to uncover. This compounds the difficulty of promptly mobilizing and orchestrating an experienced response team.
Progent offers a variety of services for protecting Edison enterprises from ransomware penetrations. Among these are team member training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security appliances with artificial intelligence capabilities to quickly discover and disable day-zero threats. Progent also offers the assistance of seasoned ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed keys to decipher any or all of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The alternative is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of full information backups, this requires a wide complement of skill sets, professional project management, and the willingness to work continuously until the job is completed.
For twenty years, Progent has provided professional IT services for businesses across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise provides Progent the skills to rapidly determine important systems and consolidate the remaining pieces of your IT system following a ransomware event and configure them into an operational network.
Progent's recovery group uses best of breed project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working rapidly and together with a customerís management and Information Technology team members to prioritize tasks and to put key services back on line as soon as possible.
Client Story: A Successful Crypto-Ransomware Attack Recovery
A small business contacted Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored criminal gangs, suspected of using approaches leaked from the United States NSA organization. Ryuk targets specific organizations with little or no tolerance for operational disruption and is one of the most profitable incarnations of ransomware malware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has about 500 employees. The Ryuk intrusion had disabled all business operations and manufacturing processes. The majority of the client's data backups had been on-line at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200,000) and praying for the best, but in the end utilized Progent.
"I canít thank you enough about the care Progent gave us throughout the most fearful period of (our) companyís existence. We would have paid the cyber criminals if it wasnít for the confidence the Progent team afforded us. The fact that you could get our messaging and essential applications back into operation in less than a week was incredible. Each staff member I spoke to or messaged at Progent was amazingly focused on getting us working again and was working at all hours on our behalf."
Progent worked with the customer to rapidly understand and prioritize the essential elements that needed to be restored to make it possible to restart business operations:
To start, Progent followed AV/Malware Processes event mitigation industry best practices by halting lateral movement and removing active viruses. Progent then started the steps of rebuilding Windows Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's MRP software leveraged Microsoft SQL, which requires Active Directory services for security authorization to the data.
- Active Directory (AD)
- Exchange Server
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then performed reinstallations and storage recovery on key systems. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on user desktop computers in order to recover mail messages. A not too old offline backup of the client's accounting/ERP software made them able to restore these essential programs back online for users. Although significant work still had to be done to recover fully from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the manufacturing operation survived unscathed and we delivered all customer shipments."
Over the next month critical milestones in the recovery project were accomplished through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user PCs were fully operational.
"A lot of what went on in the early hours is nearly entirely a fog for me, but our team will not forget the commitment all of you accomplished to help get our company back. Iíve utilized Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a stunning achievement."
A probable company-ending disaster was dodged through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here would have been disabled with up-to-date cyber security technology and recognized best practices, user and IT administrator education, and well designed security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we made it past the initial push. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist