Ransomware : Your Crippling IT Catastrophe
Ransomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus frequent unnamed newcomers, not only encrypt online information but also infect any configured system backup. Data replicated to cloud environments can also be rendered useless. In a poorly designed environment, it can make any recovery impossible and basically knocks the network back to square one.
Getting back online services and data following a crypto-ransomware attack becomes a race against the clock as the victim fights to stop lateral movement and clear the ransomware and to restore enterprise-critical operations. Since crypto-ransomware requires time to replicate, assaults are often launched on weekends, when attacks tend to take more time to identify. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent provides a range of support services for securing Eugene businesses from ransomware attacks. Among these are staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with machine learning technology to automatically discover and suppress new threats. Progent in addition can provide the assistance of veteran ransomware recovery professionals with the skills and commitment to rebuild a compromised system as urgently as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the codes to decipher any or all of your information. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The fallback is to setup from scratch the mission-critical components of your Information Technology environment. Absent access to complete data backups, this requires a wide complement of IT skills, professional project management, and the ability to work continuously until the recovery project is done.
For two decades, Progent has provided certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to quickly determine important systems and organize the remaining components of your Information Technology environment after a ransomware attack and assemble them into an operational network.
Progent's ransomware team of experts uses top notch project management tools to orchestrate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a customerís management and IT team members to prioritize tasks and to get essential applications back on-line as fast as possible.
Client Case Study: A Successful Ransomware Incident Response
A small business escalated to Progent after their network was taken over by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state criminal gangs, suspected of using technology leaked from the United States NSA organization. Ryuk seeks specific businesses with little or no room for disruption and is among the most profitable incarnations of crypto-ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with around 500 workers. The Ryuk attack had shut down all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client considered paying the ransom demand (more than $200K) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the support Progent gave us throughout the most critical time of (our) companyís life. We most likely would have paid the Hackers if not for the confidence the Progent group gave us. That you could get our messaging and production applications back into operation faster than a week was incredible. Each staff member I talked with or e-mailed at Progent was amazingly focused on getting our company operational and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the mission critical applications that needed to be restored to make it possible to resume business operations:
To begin, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and performing virus removal steps. Progent then initiated the task of rebuilding Microsoft AD, the core of enterprise networks built on Microsoft technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP software utilized Microsoft SQL, which requires Active Directory for access to the databases.
- Active Directory
- Electronic Mail
- MRP System
Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed reinstallations and hard drive recovery on mission critical applications. All Exchange schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the businesses manufacturing software made it possible to return these essential programs back on-line. Although significant work remained to recover totally from the Ryuk event, critical services were restored rapidly:
"For the most part, the production line operation ran fairly normal throughout and we made all customer deliverables."
During the next month important milestones in the restoration project were completed through close collaboration between Progent consultants and the client:
- Internal web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully functional.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Ninety percent of the user PCs were being used by staff.
"Much of what transpired in the initial days is nearly entirely a fog for me, but my management will not forget the commitment each of the team put in to help get our company back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."
A probable business-ending disaster was evaded through the efforts of top-tier experts, a broad range of technical expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here could have been blocked with advanced security solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for information backup and proper patching controls, the reality is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and information systems restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we made it over the initial push. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist