Ransomware : Your Feared Information Technology Disaster
Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses poorly prepared for an attack. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as more unnamed malware, not only do encryption of online information but also infect all configured system restores and backups. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can make automated recovery impossible and basically knocks the network back to square one.
Recovering applications and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop the spread and clear the crypto-ransomware and to restore enterprise-critical operations. Since ransomware needs time to replicate, assaults are frequently sprung on weekends, when attacks typically take longer to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.
Progent makes available a variety of services for protecting Los Angeles organizations from ransomware events. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with AI capabilities to automatically discover and extinguish day-zero threats. Progent in addition provides the assistance of experienced ransomware recovery consultants with the talent and commitment to rebuild a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the codes to decrypt all your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The fallback is to re-install the critical components of your Information Technology environment. Absent access to complete information backups, this calls for a wide complement of IT skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is finished.
For decades, Progent has provided certified expert IT services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the ability to quickly determine critical systems and consolidate the remaining parts of your IT environment following a ransomware attack and rebuild them into an operational network.
Progent's security team deploys best of breed project management systems to coordinate the sophisticated recovery process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology staff to assign priority to tasks and to get essential systems back on-line as fast as humanly possible.
Client Story: A Successful Ransomware Intrusion Restoration
A client escalated to Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state sponsored criminal gangs, suspected of adopting strategies leaked from Americaís National Security Agency. Ryuk goes after specific businesses with little or no tolerance for disruption and is among the most lucrative incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (in excess of $200K) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot tell you enough about the care Progent gave us throughout the most stressful time of (our) businesses life. We most likely would have paid the cyber criminals if not for the confidence the Progent team afforded us. That you could get our messaging and critical applications back into operation quicker than seven days was beyond my wildest dreams. Each consultant I worked with or communicated with at Progent was amazingly focused on getting us restored and was working non-stop to bail us out."
Progent worked together with the customer to quickly get our arms around and prioritize the critical applications that had to be addressed to make it possible to restart departmental operations:
To start, Progent adhered to AV/Malware Processes event mitigation best practices by halting lateral movement and clearing infected systems. Progent then began the steps of restoring Microsoft Active Directory, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businessesí accounting and MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the information.
- Microsoft Active Directory
- Exchange Server
In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery on essential servers. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Offline Folder Files) on staff PCs in order to recover mail information. A not too old offline backup of the businesses accounting/MRP systems made them able to return these essential services back online for users. Although a large amount of work remained to recover completely from the Ryuk attack, the most important services were recovered rapidly:
"For the most part, the production line operation was never shut down and we made all customer orders."
During the following couple of weeks critical milestones in the restoration project were accomplished through close cooperation between Progent consultants and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Server with over four million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Most of the user desktops and notebooks were back into operation.
"A huge amount of what occurred during the initial response is mostly a fog for me, but my team will not soon forget the dedication all of the team put in to give us our company back. Iíve utilized Progent for the past ten years, possibly more, and each time Progent has come through and delivered. This event was a stunning achievement."
A likely business-ending disaster was evaded due to results-oriented experts, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware attack described here should have been disabled with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, staff education, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), Iím grateful for making it so I could get rested after we made it past the first week. Everyone did an amazing job, and if anyone is around the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist