Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyber pandemic that presents an existential danger for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict destruction. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, plus more as yet unnamed newcomers, not only encrypt online data but also infiltrate most configured system restores and backups. Information replicated to cloud environments can also be corrupted. In a vulnerable system, this can make any restore operations useless and basically knocks the entire system back to zero.
Restoring services and data after a ransomware attack becomes a race against the clock as the targeted organization fights to contain the damage and cleanup the virus and to resume business-critical operations. Because crypto-ransomware needs time to replicate, attacks are usually sprung during nights and weekends, when attacks in many cases take more time to detect. This compounds the difficulty of rapidly assembling and orchestrating a capable response team.
Progent provides a range of support services for protecting The Woodlands businesses from ransomware events. These include team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security solutions with machine learning capabilities to intelligently detect and disable zero-day cyber threats. Progent also offers the assistance of veteran ransomware recovery engineers with the skills and commitment to restore a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware event, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed codes to unencrypt any of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for small businesses. The fallback is to re-install the key components of your Information Technology environment. Absent the availability of full information backups, this calls for a broad range of IT skills, top notch team management, and the ability to work non-stop until the task is finished.
For twenty years, Progent has made available certified expert IT services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of experience gives Progent the capability to efficiently determine important systems and consolidate the remaining pieces of your computer network environment after a ransomware event and rebuild them into a functioning network.
Progent's recovery team of experts utilizes best of breed project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put the most important systems back on line as soon as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A small business hired Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state hackers, possibly adopting strategies exposed from the United States NSA organization. Ryuk seeks specific organizations with little or no ability to sustain operational disruption and is among the most profitable instances of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago and has around 500 workers. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and praying for good luck, but in the end called Progent.
"I canít speak enough about the care Progent gave us throughout the most stressful time of (our) businesses existence. We most likely would have paid the criminal gangs if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail and production applications back sooner than 1 week was incredible. Each staff member I talked with or messaged at Progent was laser focused on getting us back online and was working non-stop on our behalf."
Progent worked with the client to quickly identify and assign priority to the most important applications that had to be recovered in order to continue company operations:
To begin, Progent adhered to ransomware incident response best practices by halting lateral movement and clearing up compromised systems. Progent then began the steps of bringing back online Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the client's MRP system leveraged SQL Server, which depends on Windows AD for authentication to the database.
- Windows Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery on the most important servers. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on various PCs to recover email information. A not too old offline backup of the customerís accounting systems made it possible to recover these vital programs back available to users. Although a lot of work remained to recover totally from the Ryuk attack, the most important systems were returned to operations quickly:
"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer shipments."
During the following couple of weeks critical milestones in the recovery project were achieved through tight collaboration between Progent consultants and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Server with over 4 million historical messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully operational.
- A new Palo Alto 850 firewall was installed and configured.
- Most of the desktops and laptops were operational.
"A huge amount of what happened in the initial days is mostly a blur for me, but my team will not soon forget the dedication all of you put in to give us our business back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This time was a stunning achievement."
A probable business-ending catastrophe was dodged through the efforts of hard-working experts, a broad array of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware virus incident described here should have been identified and disabled with up-to-date cyber security solutions and security best practices, staff education, and well designed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thanks very much for letting me get some sleep after we got over the first week. Everyone did an impressive effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist