Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as daily as yet unnamed malware, not only do encryption of online files but also infiltrate most accessible system backup. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, it can make automatic recovery impossible and basically knocks the network back to square one.
Getting back on-line applications and data after a crypto-ransomware outage becomes a race against time as the victim fights to contain and cleanup the ransomware and to resume mission-critical operations. Since crypto-ransomware requires time to spread, attacks are often launched on weekends and holidays, when attacks may take more time to recognize. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.
Progent offers an assortment of services for securing Corpus Christi organizations from crypto-ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with AI capabilities to automatically detect and extinguish new threats. Progent in addition offers the services of expert ransomware recovery consultants with the skills and perseverance to restore a compromised system as rapidly as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to setup from scratch the vital components of your IT environment. Absent the availability of full information backups, this calls for a broad range of skill sets, well-coordinated project management, and the willingness to work 24x7 until the task is done.
For decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP applications. This breadth of experience gives Progent the ability to rapidly identify important systems and organize the remaining components of your network environment after a crypto-ransomware penetration and rebuild them into a functioning system.
Progent's ransomware group uses powerful project management applications to coordinate the sophisticated recovery process. Progent knows the importance of working rapidly and in concert with a client's management and IT team members to assign priority to tasks and to get critical systems back online as fast as humanly possible.
Business Case Study: A Successful Ransomware Penetration Response
A small business engaged Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no room for operational disruption and is one of the most lucrative iterations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200K) and praying for the best, but in the end made the decision to use Progent.
"I canít tell you enough in regards to the expertise Progent gave us during the most stressful time of (our) companyís life. We most likely would have paid the cyber criminals except for the confidence the Progent team gave us. That you could get our messaging and critical servers back online faster than seven days was incredible. Each expert I spoke to or communicated with at Progent was laser focused on getting us operational and was working 24/7 to bail us out."
Progent worked with the customer to rapidly assess and assign priority to the key services that needed to be restored to make it possible to continue company operations:
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then began the steps of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customerís MRP applications leveraged Microsoft SQL, which needs Windows AD for access to the information.
- Active Directory (AD)
- Microsoft Exchange
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery of needed servers. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs to recover email information. A recent offline backup of the client's accounting/MRP systems made it possible to return these vital programs back online. Although a large amount of work still had to be done to recover fully from the Ryuk event, core services were recovered quickly:
"For the most part, the production operation did not miss a beat and we did not miss any customer shipments."
Throughout the following few weeks critical milestones in the recovery project were completed in close cooperation between Progent team members and the client:
- In-house web applications were returned to operation with no loss of data.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were fully functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- Ninety percent of the desktops and laptops were fully operational.
"A lot of what was accomplished in the early hours is mostly a fog for me, but our team will not forget the urgency each and every one of the team put in to give us our business back. Iíve trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."
A possible enterprise-killing catastrophe was dodged by dedicated professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the ransomware incident described here would have been identified and stopped with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for making it so I could get some sleep after we made it over the initial fire. All of you did an amazing effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Corpus Christi
For ransomware system recovery expertise in the Corpus Christi metro area, phone Progent at 800-462-8800 or visit Contact Progent.