Ransomware : Your Crippling Information Technology Disaster
Ransomware has become a too-frequent cyberplague that poses an extinction-level threat for organizations poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, as well as daily unnamed viruses, not only encrypt online data but also infiltrate many configured system protection. Data synchronized to cloud environments can also be ransomed. In a vulnerable system, this can render automated restoration hopeless and effectively sets the datacenter back to square one.
Getting back services and data after a crypto-ransomware attack becomes a race against time as the targeted business tries its best to contain and eradicate the ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to spread, assaults are usually sprung on weekends, when successful penetrations may take more time to detect. This compounds the difficulty of quickly marshalling and coordinating a capable response team.
Progent has an assortment of help services for securing San Bernardino enterprises from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based threat defense to identify and extinguish day-zero modern malware assaults. Progent also provides the services of expert ransomware recovery engineers with the skills and commitment to reconstruct a breached environment as urgently as possible.
Progent's Ransomware Recovery Support Services
Following a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The other path is to piece back together the essential components of your IT environment. Without the availability of essential system backups, this requires a broad range of skills, top notch project management, and the willingness to work 24x7 until the job is finished.
For decades, Progent has offered certified expert IT services for companies throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of expertise affords Progent the ability to efficiently identify critical systems and re-organize the remaining components of your network system after a ransomware attack and configure them into an operational system.
Progent's security team of experts utilizes state-of-the-art project management tools to coordinate the complex restoration process. Progent knows the importance of acting quickly and in concert with a customer's management and Information Technology team members to prioritize tasks and to put the most important systems back on line as fast as possible.
Customer Story: A Successful Ransomware Attack Response
A business escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly using strategies leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with little room for operational disruption and is one of the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with around 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the attack and were destroyed. The client considered paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end reached out to Progent.
"I can't speak enough about the help Progent provided us throughout the most critical time of (our) company's existence. We may have had to pay the cyber criminals except for the confidence the Progent team afforded us. That you could get our e-mail and critical servers back into operation sooner than one week was amazing. Each expert I worked with or communicated with at Progent was amazingly focused on getting my company operational and was working 24/7 to bail us out."
Progent worked with the client to rapidly determine and prioritize the most important areas that needed to be restored in order to continue company functions:
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of rebuilding Active Directory, the foundation of enterprise systems built upon Microsoft technology. Exchange messaging will not work without Active Directory, and the customer's accounting and MRP software utilized Microsoft SQL, which needs Active Directory services for authentication to the information.
- Active Directory
Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of mission critical applications. All Microsoft Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Offline Folder Files) on staff workstations and laptops to recover email information. A recent offline backup of the client's accounting/ERP software made them able to restore these vital programs back online for users. Although a lot of work was left to recover totally from the Ryuk virus, essential systems were restored rapidly:
"For the most part, the assembly line operation showed little impact and we did not miss any customer deliverables."
Over the next month critical milestones in the recovery project were completed through close collaboration between Progent team members and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Server containing more than 4 million historical messages was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 firewall was brought online.
- 90% of the desktops and laptops were back into operation.
"A huge amount of what happened those first few days is mostly a haze for me, but my management will not soon forget the urgency each and every one of the team put in to help get our company back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This situation was the most impressive ever."
A probable enterprise-killing disaster was evaded by top-tier experts, a wide range of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware penetration described here should have been identified and blocked with advanced security technology solutions and security best practices, user training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), I'm grateful for allowing me to get rested after we got through the initial push. All of you did an fabulous job, and if any of your team is in the Chicago area, dinner is on me!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in San Bernardino
For ransomware cleanup expertise in the San Bernardino metro area, call Progent at 800-462-8800 or see Contact Progent.