Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for organizations vulnerable to an assault. Versions of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with daily unnamed newcomers, not only encrypt online data files but also infect most configured system backups. Data synched to the cloud can also be ransomed. In a poorly architected system, it can make any recovery useless and basically knocks the network back to square one.
Retrieving applications and information following a ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop lateral movement and eradicate the ransomware and to restore enterprise-critical operations. Since ransomware requires time to move laterally, penetrations are usually sprung on weekends and holidays, when successful attacks in many cases take longer to recognize. This multiplies the difficulty of promptly marshalling and coordinating a capable response team.
Progent has a range of support services for securing Edison enterprises from ransomware penetrations. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to discover and disable zero-day malware assaults. Progent also offers the assistance of experienced ransomware recovery consultants with the track record and perseverance to rebuild a compromised system as soon as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decrypt any or all of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to setup from scratch the key elements of your Information Technology environment. Without the availability of full information backups, this calls for a wide range of skills, top notch project management, and the ability to work 24x7 until the task is done.
For two decades, Progent has made available expert Information Technology services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the capability to quickly understand important systems and organize the surviving pieces of your IT system after a ransomware event and configure them into a functioning system.
Progent's security team deploys state-of-the-art project management systems to orchestrate the complicated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put critical systems back on line as fast as humanly possible.
Customer Case Study: A Successful Ransomware Intrusion Recovery
A small business engaged Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific businesses with limited ability to sustain operational disruption and is one of the most lucrative iterations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.
"I cannot thank you enough in regards to the care Progent provided us throughout the most critical period of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail system and essential applications back online in less than 1 week was incredible. Every single staff member I spoke to or e-mailed at Progent was laser focused on getting us back on-line and was working 24/7 to bail us out."
Progent worked together with the customer to rapidly get our arms around and prioritize the mission critical systems that had to be recovered to make it possible to resume company operations:
To begin, Progent adhered to ransomware event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then started the process of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without AD, and the businesses' financials and MRP software used Microsoft SQL, which needs Windows AD for access to the database.
- Active Directory
- Microsoft Exchange Email
In less than 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on needed servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on user PCs and laptops to recover mail messages. A not too old offline backup of the client's financials/ERP systems made it possible to restore these essential services back on-line. Although a large amount of work remained to recover completely from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the production operation did not miss a beat and we did not miss any customer sales."
Throughout the next couple of weeks important milestones in the recovery process were made in close collaboration between Progent engineers and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Exchange Server with over 4 million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were completely restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the user workstations were back into operation.
"A huge amount of what was accomplished that first week is mostly a blur for me, but I will not forget the dedication each of your team put in to help get our business back. I've been working with Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This situation was no exception but maybe more Herculean."
A likely enterprise-killing catastrophe was dodged due to results-oriented experts, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here could have been shut down with advanced cyber security technology solutions and security best practices, user education, and appropriate incident response procedures for backup and applying software patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get rested after we made it over the first week. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting in Edison
For ransomware system recovery consulting services in the Edison metro area, call Progent at 800-462-8800 or visit Contact Progent.