Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Multiple generations of ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, plus more as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate any configured system backup. Data synched to cloud environments can also be corrupted. In a poorly architected environment, this can render automatic restoration hopeless and effectively knocks the entire system back to zero.
Getting back on-line programs and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization struggles to contain the damage and cleanup the crypto-ransomware and to resume mission-critical activity. Because ransomware takes time to move laterally, penetrations are frequently sprung during weekends and nights, when successful penetrations typically take longer to detect. This multiplies the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent offers a variety of services for protecting enterprises from ransomware attacks. These include team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based threat protection to identify and suppress day-zero malware assaults. Progent also provides the assistance of veteran ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware attack, sending the ransom in cryptocurrency does not guarantee that cyber hackers will provide the codes to unencrypt any of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The alternative is to re-install the essential components of your Information Technology environment. Without access to full information backups, this requires a wide complement of skills, professional team management, and the ability to work continuously until the job is done.
For two decades, Progent has provided certified expert Information Technology services for companies throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the ability to rapidly understand critical systems and integrate the surviving parts of your network environment following a ransomware attack and configure them into a functioning network.
Progent's ransomware team deploys powerful project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT staff to assign priority to tasks and to get critical applications back online as soon as possible.
Customer Case Study: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, possibly adopting algorithms leaked from the United States National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the intrusion and were damaged. The client considered paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.
"I cannot tell you enough about the care Progent provided us throughout the most stressful period of (our) company's life. We may have had to pay the hackers behind this attack if not for the confidence the Progent team provided us. That you could get our e-mail and critical applications back online sooner than one week was incredible. Each expert I spoke to or e-mailed at Progent was totally committed on getting us back on-line and was working all day and night to bail us out."
Progent worked with the customer to rapidly identify and prioritize the critical applications that had to be recovered in order to restart company operations:
To start, Progent followed ransomware incident response industry best practices by halting lateral movement and clearing infected systems. Progent then started the work of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the customer's MRP applications used SQL Server, which requires Windows AD for security authorization to the information.
- Windows Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on the most important servers. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Offline Data Files) on team desktop computers and laptops in order to recover mail messages. A not too old offline backup of the businesses manufacturing software made them able to restore these essential services back online for users. Although significant work needed to be completed to recover completely from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production line operation survived unscathed and we did not miss any customer sales."
During the following couple of weeks key milestones in the restoration process were completed through close cooperation between Progent engineers and the customer:
- In-house web applications were returned to operation with no loss of information.
- The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory functions were 100% functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- 90% of the user PCs were operational.
"So much of what occurred that first week is nearly entirely a blur for me, but our team will not soon forget the dedication all of you put in to give us our company back. I've been working with Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."
A likely business-ending catastrophe was dodged through the efforts of dedicated experts, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here should have been identified and prevented with advanced security technology solutions and recognized best practices, user and IT administrator training, and appropriate security procedures for information protection and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for letting me get rested after we got past the most critical parts. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Remediation Services
For 24x7x365 crypto-ransomware repair services, contact Progent at 800-462-8800 or go to Contact Progent.