Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, along with additional unnamed viruses, not only encrypt online data files but also infiltrate all accessible system restores and backups. Information synched to the cloud can also be encrypted. In a poorly architected data protection solution, this can render any recovery useless and basically knocks the network back to square one.
Recovering programs and data following a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement and cleanup the crypto-ransomware and to restore mission-critical activity. Since ransomware needs time to spread, attacks are often sprung at night, when attacks are likely to take more time to discover. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.
Progent provides an assortment of help services for securing Los Angeles enterprises from ransomware attacks. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology to automatically detect and extinguish new threats. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the skills and perseverance to re-deploy a breached environment as soon as possible.
Progent's Crypto-Ransomware Recovery Services
After a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the codes to unencrypt all your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to setup from scratch the essential elements of your Information Technology environment. Without the availability of essential system backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work non-stop until the task is finished.
For twenty years, Progent has provided professional Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience provides Progent the ability to quickly identify necessary systems and organize the surviving components of your computer network system after a crypto-ransomware penetration and configure them into an operational system.
Progent's recovery team uses powerful project management systems to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and in unison with a client's management and IT staff to prioritize tasks and to get critical systems back on-line as fast as possible.
Client Story: A Successful Ransomware Incident Recovery
A business contacted Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, possibly adopting techniques leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most lucrative instances of ransomware malware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago with around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.
"I cannot tell you enough about the help Progent gave us during the most fearful time of (our) businesses existence. We would have paid the criminal gangs if it wasnít for the confidence the Progent team afforded us. The fact that you could get our e-mail system and critical servers back sooner than seven days was earth shattering. Each staff member I spoke to or communicated with at Progent was absolutely committed on getting our company operational and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly get our arms around and prioritize the essential systems that needed to be recovered in order to continue company functions:
To get going, Progent followed ransomware event response industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the steps of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí accounting and MRP software leveraged Microsoft SQL Server, which requires Windows AD for authentication to the database.
- Windows Active Directory
- Microsoft Exchange
In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then charged ahead with setup and hard drive recovery of critical systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST files (Microsoft Outlook Offline Folder Files) on team workstations and laptops in order to recover email messages. A recent off-line backup of the businesses accounting software made them able to recover these required services back on-line. Although major work remained to recover fully from the Ryuk attack, essential systems were restored rapidly:
"For the most part, the production operation was never shut down and we did not miss any customer orders."
Over the next few weeks important milestones in the recovery project were accomplished in close collaboration between Progent consultants and the client:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were completely operational.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the user desktops and notebooks were back into operation.
"A huge amount of what occurred in the early hours is mostly a fog for me, but we will not forget the countless hours each of you accomplished to give us our company back. I have been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A potential enterprise-killing catastrophe was evaded due to top-tier professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware virus penetration described here could have been blocked with current security systems and recognized best practices, user and IT administrator education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware attack, remember that Progent's team of experts has proven experience in ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thanks very much for making it so I could get rested after we got through the initial fire. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in Los Angeles
For ransomware system recovery expertise in the Los Angeles metro area, call Progent at 800-462-8800 or see Contact Progent.