Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with more as yet unnamed malware, not only encrypt on-line files but also infect many accessible system backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can render automatic restore operations impossible and effectively sets the datacenter back to square one.
Getting back on-line programs and data after a ransomware intrusion becomes a race against time as the targeted business tries its best to stop lateral movement and eradicate the ransomware and to resume business-critical operations. Because ransomware takes time to spread, penetrations are frequently sprung on weekends, when successful penetrations are likely to take more time to detect. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.
Progent makes available a range of support services for protecting Orlando businesses from ransomware attacks. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based threat protection to identify and suppress day-zero malware attacks. Progent in addition offers the assistance of seasoned crypto-ransomware recovery engineers with the talent and commitment to restore a compromised network as rapidly as possible.
Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to unencrypt any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The fallback is to re-install the key elements of your IT environment. Without access to complete system backups, this requires a broad range of skills, top notch project management, and the capability to work continuously until the job is complete.
For decades, Progent has offered certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the ability to knowledgably identify critical systems and integrate the remaining pieces of your IT system following a ransomware penetration and configure them into an operational network.
Progent's security team uses powerful project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting rapidly and in unison with a customer's management and IT team members to assign priority to tasks and to get critical applications back online as fast as possible.
Business Case Study: A Successful Ransomware Incident Restoration
A business engaged Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state hackers, possibly adopting techniques leaked from the United States National Security Agency. Ryuk goes after specific companies with little or no room for disruption and is one of the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.
"I can't say enough in regards to the care Progent provided us during the most stressful time of (our) businesses existence. We would have paid the cybercriminals if not for the confidence the Progent team gave us. That you were able to get our messaging and critical servers back into operation faster than one week was incredible. Every single expert I talked with or e-mailed at Progent was amazingly focused on getting us working again and was working all day and night on our behalf."
Progent worked with the client to rapidly understand and assign priority to the key systems that needed to be restored to make it possible to restart business functions:
To get going, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and removing active viruses. Progent then began the work of recovering Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customer's financials and MRP software leveraged Microsoft SQL, which depends on Active Directory for access to the database.
- Active Directory (AD)
- Electronic Mail
In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of mission critical systems. All Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers and laptops to recover mail messages. A recent offline backup of the businesses accounting software made it possible to return these vital programs back online for users. Although a lot of work remained to recover completely from the Ryuk attack, critical systems were restored rapidly:
"For the most part, the production line operation survived unscathed and we made all customer orders."
Over the next few weeks key milestones in the recovery process were achieved through close collaboration between Progent consultants and the customer:
- In-house web sites were restored with no loss of information.
- The MailStore Server with over 4 million archived emails was spun up and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100% operational.
- A new Palo Alto 850 firewall was set up and programmed.
- Most of the user workstations were back into operation.
"So much of what happened in the early hours is mostly a blur for me, but our team will not soon forget the commitment all of your team put in to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This time was a testament to your capabilities."
A likely business disaster was averted by dedicated professionals, a wide array of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here would have been prevented with modern security systems and ISO/IEC 27001 best practices, team training, and well thought out security procedures for data protection and proper patching controls, the fact remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get rested after we got over the first week. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Orlando
For ransomware system recovery services in the Orlando metro area, phone Progent at 800-462-8800 or see Contact Progent.