Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that presents an existential danger for organizations unprepared for an assault. Different versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as additional as yet unnamed viruses, not only do encryption of on-line files but also infect most accessible system backups. Data replicated to cloud environments can also be rendered useless. In a poorly architected environment, it can make any recovery impossible and effectively knocks the network back to square one.
Getting back on-line services and information after a ransomware event becomes a sprint against the clock as the targeted organization tries its best to stop the spread and cleanup the virus and to restore mission-critical activity. Because ransomware requires time to spread, assaults are frequently sprung at night, when successful attacks are likely to take more time to discover. This compounds the difficulty of quickly assembling and orchestrating a qualified mitigation team.
Progent offers a variety of solutions for protecting Newark organizations from crypto-ransomware events. Among these are user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to identify and suppress day-zero modern malware attacks. Progent in addition provides the assistance of expert ransomware recovery engineers with the talent and commitment to rebuild a breached environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Help
After a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to unencrypt all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The fallback is to re-install the key elements of your IT environment. Without access to complete information backups, this calls for a wide complement of skills, top notch team management, and the capability to work non-stop until the task is complete.
For decades, Progent has provided professional Information Technology services for businesses throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience gives Progent the ability to rapidly understand important systems and organize the surviving components of your network system following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security group has powerful project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and together with a customer's management and IT resources to prioritize tasks and to get essential systems back on line as fast as humanly possible.
Customer Story: A Successful Ransomware Virus Recovery
A small business sought out Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk goes after specific companies with little tolerance for operational disruption and is one of the most lucrative versions of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end utilized Progent.
"I can't tell you enough about the expertise Progent gave us during the most fearful period of (our) businesses life. We would have paid the Hackers if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail and production servers back sooner than five days was beyond my wildest dreams. Every single staff member I interacted with or texted at Progent was laser focused on getting us operational and was working non-stop on our behalf."
Progent worked together with the customer to rapidly assess and prioritize the key systems that needed to be restored in order to continue departmental operations:
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and clearing infected systems. Progent then initiated the steps of bringing back online Microsoft AD, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the businesses' MRP system utilized Microsoft SQL Server, which needs Active Directory for authentication to the data.
- Windows Active Directory
- Exchange Server
- MRP System
Within 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with setup and storage recovery of essential systems. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Folder Files) on various desktop computers and laptops to recover mail data. A recent offline backup of the customer's accounting/ERP systems made them able to recover these required applications back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk event, the most important systems were restored quickly:
"For the most part, the production operation did not miss a beat and we produced all customer sales."
During the following month important milestones in the recovery project were completed through tight collaboration between Progent engineers and the customer:
- Self-hosted web sites were returned to operation with no loss of data.
- The MailStore Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were completely functional.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the user desktops and notebooks were back into operation.
"A lot of what was accomplished those first few days is nearly entirely a blur for me, but our team will not soon forget the commitment all of you accomplished to give us our company back. I've been working together with Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This time was a testament to your capabilities."
A potential business disaster was evaded by hard-working experts, a wide spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus incident described here should have been identified and disabled with advanced cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for letting me get some sleep after we got over the first week. All of you did an incredible effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Newark
For ransomware cleanup services in the Newark metro area, phone Progent at 800-462-8800 or go to Contact Progent.