Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyberplague that poses an extinction-level danger for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus daily as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate any configured system protection. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can make automated restore operations hopeless and basically sets the datacenter back to square one.
Recovering applications and information following a ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop lateral movement and cleanup the virus and to resume mission-critical activity. Because ransomware needs time to spread, attacks are usually launched during weekends and nights, when attacks are likely to take more time to notice. This compounds the difficulty of rapidly mobilizing and organizing a capable mitigation team.
Progent provides an assortment of solutions for protecting organizations from ransomware penetrations. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with AI capabilities to quickly detect and extinguish day-zero cyber attacks. Progent also can provide the services of expert crypto-ransomware recovery professionals with the skills and commitment to restore a compromised network as soon as possible.
Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the keys to decipher any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The fallback is to setup from scratch the critical components of your Information Technology environment. Without access to complete system backups, this requires a broad range of skill sets, top notch project management, and the ability to work continuously until the task is complete.
For two decades, Progent has provided certified expert IT services for companies across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the skills to knowledgably understand necessary systems and consolidate the remaining components of your network system following a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's recovery team of experts deploys state-of-the-art project management tools to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and together with a customerís management and IT resources to assign priority to tasks and to put critical applications back on-line as fast as humanly possible.
Business Case Study: A Successful Ransomware Virus Recovery
A client hired Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state criminal gangs, possibly using approaches leaked from Americaís NSA organization. Ryuk attacks specific companies with little ability to sustain operational disruption and is among the most profitable incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had disabled all company operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200K) and hoping for the best, but ultimately reached out to Progent.
"I canít tell you enough about the care Progent provided us throughout the most fearful period of (our) businesses survival. We would have paid the hackers behind this attack if not for the confidence the Progent group provided us. That you could get our messaging and key servers back into operation faster than a week was beyond my wildest dreams. Every single person I worked with or texted at Progent was hell bent on getting our company operational and was working non-stop on our behalf."
Progent worked with the customer to quickly assess and prioritize the critical systems that needed to be addressed to make it possible to resume departmental functions:
To start, Progent followed AV/Malware Processes penetration response best practices by stopping the spread and cleaning up infected systems. Progent then began the process of bringing back online Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the customerís financials and MRP system leveraged SQL Server, which depends on Windows AD for authentication to the data.
- Windows Active Directory
- Electronic Messaging
Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of needed systems. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers in order to recover email data. A not too old offline backup of the customerís manufacturing systems made them able to recover these essential services back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, essential services were returned to operations quickly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer shipments."
Over the following few weeks key milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the client:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory modules were 100% operational.
- A new Palo Alto 850 firewall was brought on-line.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"A huge amount of what happened that first week is nearly entirely a fog for me, but my management will not forget the countless hours each of your team put in to help get our company back. I have been working with Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."
A possible enterprise-killing catastrophe was avoided through the efforts of results-oriented professionals, a wide spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here should have been identified and disabled with current cyber security solutions and recognized best practices, team education, and properly executed security procedures for data backup and applying software patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), Iím grateful for letting me get some sleep after we made it past the most critical parts. Everyone did an impressive effort, and if anyone is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Services
For 24x7x365 crypto-ransomware cleanup consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.