Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an attack. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause havoc. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus additional as yet unnamed newcomers, not only encrypt on-line files but also infiltrate any configured system backups. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable data protection solution, this can make any recovery useless and basically sets the network back to zero.
Getting back programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore business-critical activity. Because ransomware requires time to move laterally, penetrations are usually sprung at night, when successful attacks are likely to take longer to recognize. This multiplies the difficulty of promptly assembling and coordinating a qualified response team.
Progent provides a variety of solutions for securing businesses from ransomware events. These include staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to automatically identify and disable zero-day threats. Progent also can provide the services of expert ransomware recovery consultants with the talent and perseverance to restore a compromised network as soon as possible.
Progent's Crypto-Ransomware Recovery Help
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The fallback is to piece back together the key elements of your IT environment. Without access to full information backups, this requires a wide range of skills, professional team management, and the capability to work 24x7 until the recovery project is done.
For two decades, Progent has provided expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of experience affords Progent the skills to quickly determine important systems and organize the remaining parts of your Information Technology system after a crypto-ransomware penetration and assemble them into an operational system.
Progent's security team of experts has powerful project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get critical systems back on-line as soon as possible.
Business Case Study: A Successful Ransomware Attack Response
A client escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored hackers, possibly adopting algorithms leaked from the United States National Security Agency. Ryuk attacks specific companies with limited tolerance for disruption and is one of the most profitable instances of crypto-ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has about 500 staff members. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom (more than $200K) and hoping for the best, but ultimately reached out to Progent.
"I can’t thank you enough about the care Progent gave us during the most critical time of (our) company’s survival. We may have had to pay the criminal gangs if not for the confidence the Progent group provided us. That you could get our e-mail system and production applications back quicker than one week was earth shattering. Every single consultant I talked with or messaged at Progent was totally committed on getting us operational and was working all day and night to bail us out."
Progent worked hand in hand the client to quickly identify and assign priority to the essential services that needed to be restored to make it possible to resume company operations:
To start, Progent adhered to Anti-virus incident response best practices by stopping lateral movement and removing active viruses. Progent then began the process of bringing back online Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the customer’s accounting and MRP system leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the database.
- Active Directory (AD)
- MRP System
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and storage recovery on critical servers. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Data Files) on team PCs and laptops in order to recover mail data. A recent off-line backup of the client's accounting systems made it possible to recover these essential services back online for users. Although major work was left to recover fully from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production operation showed little impact and we produced all customer deliverables."
Over the next few weeks key milestones in the restoration process were made through close collaboration between Progent consultants and the client:
- Internal web sites were restored without losing any information.
- The MailStore Server exceeding four million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were completely recovered.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Most of the user desktops and notebooks were fully operational.
"A huge amount of what happened that first week is mostly a fog for me, but my team will not soon forget the urgency all of you accomplished to give us our business back. I have utilized Progent for the past 10 years, possibly more, and each time Progent has come through and delivered as promised. This situation was a life saver."
A potential business-killing catastrophe was dodged by top-tier professionals, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware virus incident detailed here would have been shut down with current security systems and ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I’m grateful for allowing me to get rested after we got past the most critical parts. Everyone did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services
For 24/7 crypto-ransomware repair consulting, contact Progent at 800-462-8800 or go to Contact Progent.