Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with more unnamed newcomers, not only encrypt online files but also infect many configured system backups. Files replicated to the cloud can also be ransomed. In a poorly designed data protection solution, it can render any restoration useless and effectively knocks the network back to zero.
Recovering applications and information after a ransomware outage becomes a race against time as the victim tries its best to stop the spread and eradicate the virus and to resume enterprise-critical activity. Because ransomware requires time to spread, assaults are often launched during nights and weekends, when attacks may take longer to notice. This compounds the difficulty of promptly assembling and coordinating a qualified response team.
Progent makes available a range of help services for securing Cheyenne organizations from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with AI technology to intelligently identify and quarantine new cyber attacks. Progent in addition provides the services of veteran ransomware recovery engineers with the track record and commitment to restore a compromised environment as soon as possible.
Progent's Ransomware Restoration Services
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to decipher all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to re-install the key elements of your IT environment. Absent the availability of essential information backups, this requires a broad range of IT skills, professional project management, and the capability to work 24x7 until the task is done.
For two decades, Progent has made available professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the ability to rapidly ascertain critical systems and organize the remaining components of your IT system following a ransomware event and rebuild them into an operational network.
Progent's ransomware team utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working quickly and together with a customerís management and IT resources to assign priority to tasks and to get the most important systems back online as fast as possible.
Client Case Study: A Successful Ransomware Incident Recovery
A business contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state cybercriminals, possibly adopting algorithms leaked from Americaís NSA organization. Ryuk goes after specific businesses with little or no room for disruption and is among the most profitable examples of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with about 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately engaged Progent.
"I canít speak enough about the help Progent provided us throughout the most critical period of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts afforded us. That you could get our e-mail system and important servers back on-line in less than a week was earth shattering. Every single expert I interacted with or e-mailed at Progent was amazingly focused on getting my company operational and was working non-stop on our behalf."
Progent worked with the client to rapidly understand and assign priority to the essential systems that had to be recovered in order to continue company operations:
To begin, Progent followed AV/Malware Processes penetration response industry best practices by isolating and cleaning up infected systems. Progent then began the task of restoring Microsoft AD, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the customerís financials and MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the information.
- Active Directory
- Microsoft Exchange
Within two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished setup and hard drive recovery of key systems. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Offline Folder Files) on staff PCs in order to recover mail information. A recent offline backup of the client's financials/MRP systems made them able to return these essential services back on-line. Although major work still had to be done to recover fully from the Ryuk damage, core services were returned to operations quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer orders."
Over the next couple of weeks important milestones in the restoration project were made in close cooperation between Progent team members and the client:
- In-house web sites were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely recovered.
- A new Palo Alto 850 firewall was brought on-line.
- Most of the desktop computers were back into operation.
"A huge amount of what occurred in the early hours is nearly entirely a haze for me, but I will not forget the commitment all of the team put in to give us our business back. Iíve trusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was no exception but maybe more Herculean."
A possible business extinction catastrophe was dodged through the efforts of dedicated experts, a wide spectrum of knowledge, and tight teamwork. Although in hindsight the ransomware attack detailed here should have been identified and stopped with current cyber security systems and best practices, user training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get rested after we got past the initial fire. Everyone did an impressive effort, and if any of your guys is in the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Expertise in Cheyenne
For ransomware cleanup consulting in the Cheyenne metro area, phone Progent at 800-462-8800 or see Contact Progent.