Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that poses an existential threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus more unnamed viruses, not only encrypt online files but also infect most configured system backup. Data replicated to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can render any restoration impossible and effectively sets the entire system back to square one.
Getting back applications and information after a ransomware outage becomes a race against the clock as the targeted business fights to contain and remove the ransomware and to resume enterprise-critical operations. Because crypto-ransomware takes time to spread, attacks are often sprung on weekends and holidays, when attacks in many cases take more time to discover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent makes available an assortment of services for securing Oklahoma CIty businesses from crypto-ransomware penetrations. These include team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based threat protection to detect and quarantine zero-day modern malware assaults. Progent also offers the services of expert ransomware recovery engineers with the track record and perseverance to rebuild a breached network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the needed codes to decrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The alternative is to re-install the essential components of your IT environment. Without the availability of full information backups, this calls for a wide range of IT skills, professional team management, and the capability to work 24x7 until the task is complete.
For decades, Progent has offered certified expert Information Technology services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience affords Progent the capability to efficiently identify necessary systems and consolidate the surviving pieces of your network environment following a crypto-ransomware penetration and configure them into a functioning network.
Progent's ransomware team deploys top notch project management tools to coordinate the complicated restoration process. Progent knows the urgency of acting swiftly and together with a customer's management and IT staff to assign priority to tasks and to put essential systems back on-line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Virus Restoration
A business sought out Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state cybercriminals, possibly adopting techniques exposed from the United States National Security Agency. Ryuk seeks specific businesses with little tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in Chicago with about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end brought in Progent.
"I can't speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) company's existence. We would have paid the hackers behind this attack if not for the confidence the Progent experts afforded us. The fact that you could get our messaging and key applications back faster than five days was beyond my wildest dreams. Each expert I spoke to or e-mailed at Progent was absolutely committed on getting our company operational and was working non-stop on our behalf."
Progent worked together with the customer to rapidly determine and prioritize the essential services that needed to be recovered to make it possible to restart business operations:
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by halting lateral movement and removing active viruses. Progent then initiated the work of recovering Microsoft AD, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the customer's financials and MRP software used Microsoft SQL, which depends on Active Directory services for access to the database.
- Active Directory (AD)
- MRP System
Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery on critical systems. All Exchange schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Folder Files) on team PCs and laptops in order to recover mail information. A recent off-line backup of the client's manufacturing software made them able to return these essential programs back online for users. Although major work remained to recover completely from the Ryuk attack, core systems were recovered rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."
During the next month important milestones in the recovery project were achieved through close collaboration between Progent team members and the customer:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Server with over 4 million historical messages was brought on-line and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully recovered.
- A new Palo Alto 850 security appliance was set up.
- Most of the user desktops were functioning as before the incident.
"A huge amount of what was accomplished in the early hours is nearly entirely a blur for me, but we will not forget the dedication all of the team put in to give us our business back. I have been working together with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This situation was a life saver."
A likely business extinction catastrophe was averted with hard-working experts, a wide range of IT skills, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been disabled with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for information protection and proper patching controls, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for letting me get rested after we made it past the initial push. All of you did an impressive effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Oklahoma CIty
For ransomware system recovery consulting in the Oklahoma CIty area, phone Progent at 800-462-8800 or see Contact Progent.