Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an existential threat for businesses poorly prepared for an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as additional unnamed newcomers, not only do encryption of on-line information but also infiltrate most accessible system protection mechanisms. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, it can render automatic restore operations hopeless and basically sets the datacenter back to square one.
Restoring services and data following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the ransomware and to resume mission-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are often launched during nights and weekends, when attacks are likely to take longer to discover. This multiplies the difficulty of rapidly mobilizing and organizing an experienced mitigation team.
Progent has a range of services for securing enterprises from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence technology to automatically detect and quarantine new cyber threats. Progent in addition can provide the services of expert ransomware recovery professionals with the track record and perseverance to reconstruct a compromised environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt any or all of your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The other path is to re-install the essential elements of your Information Technology environment. Absent access to essential information backups, this requires a broad range of skills, well-coordinated project management, and the willingness to work continuously until the job is finished.
For decades, Progent has offered certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise provides Progent the ability to rapidly identify important systems and integrate the remaining pieces of your IT environment following a ransomware attack and assemble them into an operational network.
Progent's security team deploys state-of-the-art project management applications to coordinate the complex restoration process. Progent knows the importance of acting quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to get the most important applications back online as soon as possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A business hired Progent after their network system was crashed by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly adopting strategies leaked from the U.S. NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most profitable versions of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has about 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (in excess of $200,000) and praying for the best, but in the end made the decision to use Progent.
"I cannot speak enough in regards to the expertise Progent gave us during the most fearful period of (our) companyís life. We had little choice but to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and key servers back into operation in less than one week was something I thought impossible. Each person I worked with or communicated with at Progent was urgently focused on getting us restored and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly understand and assign priority to the essential services that needed to be recovered to make it possible to continue departmental operations:
To get going, Progent adhered to AV/Malware Processes incident response best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the businessesí MRP software utilized Microsoft SQL, which depends on Active Directory services for security authorization to the databases.
- Active Directory
- Microsoft Exchange
In less than 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery of needed servers. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Data Files) on various PCs and laptops in order to recover mail data. A not too old off-line backup of the businesses financials/MRP systems made it possible to return these vital services back online for users. Although significant work still had to be done to recover completely from the Ryuk attack, core systems were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."
During the next month critical milestones in the recovery process were made through close cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Server containing more than four million historical emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely operational.
- A new Palo Alto 850 security appliance was installed and configured.
- 90% of the user PCs were being used by staff.
"A lot of what transpired that first week is mostly a fog for me, but my team will not forget the care all of you put in to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."
A probable business catastrophe was averted due to top-tier professionals, a broad spectrum of IT skills, and tight teamwork. Although in retrospect the ransomware virus attack described here could have been shut down with up-to-date security solutions and best practices, user and IT administrator education, and properly executed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we got through the most critical parts. All of you did an impressive job, and if anyone that helped is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Repair Expertise
For 24-Hour ransomware recovery consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.