Ransomware : Your Feared Information Technology Disaster
Ransomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict havoc. Newer variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as additional unnamed newcomers, not only encrypt on-line data but also infect any available system restores and backups. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make any restoration hopeless and basically knocks the entire system back to zero.
Getting back on-line applications and data following a ransomware event becomes a sprint against the clock as the victim tries its best to contain the damage and eradicate the ransomware and to restore mission-critical operations. Because crypto-ransomware takes time to move laterally, penetrations are often sprung on weekends, when successful penetrations may take more time to identify. This compounds the difficulty of rapidly assembling and organizing an experienced response team.
Progent has a range of support services for securing Manchester enterprises from crypto-ransomware penetrations. These include team training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security gateways with AI technology to rapidly detect and extinguish zero-day cyber threats. Progent in addition can provide the services of veteran ransomware recovery engineers with the track record and commitment to rebuild a compromised network as quickly as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed keys to unencrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to re-install the key elements of your Information Technology environment. Absent the availability of full information backups, this requires a wide range of skill sets, well-coordinated team management, and the ability to work non-stop until the task is completed.
For twenty years, Progent has provided professional IT services for companies across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to quickly identify necessary systems and integrate the remaining pieces of your Information Technology system following a ransomware attack and assemble them into an operational system.
Progent's ransomware group deploys top notch project management applications to coordinate the complicated restoration process. Progent knows the urgency of working swiftly and together with a customer's management and Information Technology resources to prioritize tasks and to put the most important services back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A small business escalated to Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, suspected of using algorithms exposed from America's National Security Agency. Ryuk attacks specific organizations with limited tolerance for operational disruption and is among the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with around 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately brought in Progent.
"I can't thank you enough about the care Progent gave us throughout the most critical time of (our) businesses life. We may have had to pay the hackers behind this attack if not for the confidence the Progent group afforded us. The fact that you could get our e-mail and key servers back quicker than seven days was beyond my wildest dreams. Every single person I talked with or e-mailed at Progent was hell bent on getting us back on-line and was working all day and night to bail us out."
Progent worked with the customer to quickly identify and prioritize the key elements that needed to be addressed in order to continue business operations:
To get going, Progent adhered to Anti-virus incident response best practices by isolating and disinfecting systems. Progent then began the steps of rebuilding Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's MRP software utilized Microsoft SQL, which requires Active Directory services for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange Server
- Accounting and Manufacturing Software
In less than 48 hours, Progent was able to rebuild Active Directory to its pre-virus state. Progent then assisted with setup and storage recovery on essential servers. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Folder Files) on various workstations and laptops to recover mail messages. A recent offline backup of the client's accounting/MRP systems made it possible to return these essential applications back online for users. Although a lot of work was left to recover completely from the Ryuk event, the most important services were recovered rapidly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer shipments."
During the following few weeks important milestones in the recovery process were made through tight collaboration between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of data.
- The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully functional.
- A new Palo Alto Networks 850 firewall was installed.
- Ninety percent of the desktops and laptops were being used by staff.
"Much of what occurred during the initial response is mostly a blur for me, but we will not forget the urgency each and every one of your team accomplished to help get our company back. I have been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."
A potential business-killing disaster was avoided with hard-working professionals, a broad array of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware virus attack described here could have been blocked with advanced cyber security technology solutions and recognized best practices, staff education, and properly executed incident response procedures for data protection and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for making it so I could get rested after we made it through the first week. Everyone did an amazing job, and if any of your guys is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Manchester
For ransomware cleanup services in the Manchester metro area, phone Progent at 800-462-8800 or go to Contact Progent.