Ransomware : Your Worst IT Disaster
Ransomware has become a modern cyberplague that represents an extinction-level danger for businesses unprepared for an assault. Multiple generations of ransomware such as Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, as well as additional as yet unnamed viruses, not only encrypt on-line files but also infiltrate most accessible system restores and backups. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automated recovery hopeless and effectively knocks the network back to zero.
Recovering programs and information after a ransomware intrusion becomes a race against time as the targeted business struggles to contain and cleanup the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are often launched on weekends, when successful attacks are likely to take more time to identify. This compounds the difficulty of promptly mobilizing and coordinating a capable mitigation team.
Progent has a variety of solutions for securing Barueri-Alphaville organizations from ransomware penetrations. Among these are staff education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning capabilities to intelligently identify and extinguish new cyber threats. Progent also provides the services of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a compromised environment as soon as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed codes to decipher any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The alternative is to piece back together the critical elements of your IT environment. Absent the availability of essential data backups, this calls for a wide range of skill sets, top notch project management, and the willingness to work continuously until the job is over.
For two decades, Progent has offered professional IT services for businesses throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience gives Progent the ability to rapidly identify important systems and re-organize the surviving components of your network system after a crypto-ransomware attack and configure them into an operational system.
Progent's recovery group has top notch project management systems to coordinate the complicated restoration process. Progent understands the urgency of working quickly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get essential services back on-line as soon as possible.
Client Story: A Successful Crypto-Ransomware Virus Response
A small business escalated to Progent after their company was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state criminal gangs, suspected of adopting technology exposed from the United States NSA organization. Ryuk seeks specific businesses with limited room for operational disruption and is among the most profitable iterations of ransomware viruses. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with about 500 workers. The Ryuk attack had brought down all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately reached out to Progent.
"I can’t speak enough about the support Progent provided us during the most fearful time of (our) company’s life. We most likely would have paid the criminal gangs if not for the confidence the Progent team gave us. That you were able to get our messaging and key applications back into operation faster than seven days was earth shattering. Every single expert I interacted with or e-mailed at Progent was amazingly focused on getting us back on-line and was working at all hours on our behalf."
Progent worked together with the client to rapidly determine and prioritize the critical areas that needed to be addressed in order to restart departmental functions:
To start, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and removing active viruses. Progent then started the steps of recovering Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the customer’s financials and MRP system utilized SQL Server, which requires Active Directory for access to the information.
- Windows Active Directory
- MRP System
In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and hard drive recovery of key systems. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user desktop computers to recover email data. A not too old off-line backup of the businesses accounting software made them able to restore these essential services back on-line. Although a large amount of work remained to recover completely from the Ryuk event, critical services were returned to operations rapidly:
"For the most part, the production manufacturing operation never missed a beat and we made all customer shipments."
Over the next month critical milestones in the recovery process were made in tight collaboration between Progent team members and the client:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Server containing more than 4 million historical emails was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the user desktops and notebooks were functioning as before the incident.
"A lot of what occurred in the initial days is mostly a blur for me, but we will not soon forget the dedication each of the team put in to give us our business back. I’ve utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a testament to your capabilities."
A probable business catastrophe was averted through the efforts of results-oriented experts, a broad range of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here would have been identified and prevented with advanced cyber security solutions and ISO/IEC 27001 best practices, staff training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for letting me get rested after we made it over the most critical parts. Everyone did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist