Ransomware : Your Feared IT Disaster
Ransomware has become a modern cyberplague that poses an extinction-level threat for organizations unprepared for an assault. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict destruction. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, along with frequent unnamed viruses, not only do encryption of online files but also infect many configured system backup. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can make any restore operations hopeless and effectively sets the datacenter back to zero.
Retrieving applications and information after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the virus and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually launched during weekends and nights, when successful attacks may take more time to discover. This compounds the difficulty of quickly marshalling and coordinating an experienced mitigation team.
Progent makes available an assortment of services for securing San Diego enterprises from ransomware penetrations. Among these are staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security gateways with AI technology to automatically identify and disable day-zero cyber threats. Progent in addition can provide the assistance of expert ransomware recovery engineers with the track record and perseverance to re-deploy a breached network as rapidly as possible.
Progent's Ransomware Restoration Support Services
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher all your data. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller businesses. The fallback is to piece back together the vital parts of your Information Technology environment. Absent access to full information backups, this requires a wide range of skills, professional project management, and the capability to work non-stop until the task is finished.
For twenty years, Progent has provided professional IT services for companies throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably ascertain critical systems and consolidate the remaining parts of your Information Technology environment after a ransomware attack and configure them into an operational network.
Progent's recovery team utilizes best of breed project management systems to coordinate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a customerís management and IT team members to prioritize tasks and to put essential services back on-line as fast as humanly possible.
Case Study: A Successful Crypto-Ransomware Virus Restoration
A customer contacted Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly using technology leaked from the U.S. National Security Agency. Ryuk goes after specific organizations with little or no room for disruption and is one of the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in the Chicago metro area and has around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot speak enough in regards to the help Progent provided us throughout the most fearful period of (our) businesses survival. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent group gave us. That you could get our e-mail and important servers back on-line quicker than five days was something I thought impossible. Each person I spoke to or messaged at Progent was laser focused on getting us back on-line and was working 24/7 to bail us out."
Progent worked together with the client to rapidly identify and assign priority to the key elements that needed to be addressed in order to resume departmental functions:
To begin, Progent adhered to ransomware penetration mitigation best practices by stopping the spread and cleaning systems of viruses. Progent then began the process of restoring Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the client's accounting and MRP applications used SQL Server, which depends on Windows AD for security authorization to the databases.
- Active Directory
- Microsoft Exchange Email
In less than 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed reinstallations and hard drive recovery on needed applications. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user workstations to recover mail messages. A recent off-line backup of the businesses accounting/ERP software made it possible to restore these required services back online. Although significant work was left to recover totally from the Ryuk event, core services were restored quickly:
"For the most part, the production line operation was never shut down and we made all customer deliverables."
Throughout the next few weeks important milestones in the restoration project were achieved in close cooperation between Progent consultants and the client:
- Internal web sites were returned to operation with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were completely operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Nearly all of the user desktops were functioning as before the incident.
"Much of what transpired during the initial response is nearly entirely a blur for me, but I will not soon forget the dedication all of the team accomplished to give us our company back. I have utilized Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."
A potential enterprise-killing disaster was dodged due to hard-working experts, a broad spectrum of subject matter expertise, and close collaboration. Although in post mortem the ransomware virus incident detailed here should have been prevented with advanced cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and well designed incident response procedures for data protection and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we got past the first week. Everyone did an fabulous job, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Expertise in San Diego
For ransomware system restoration consulting services in the San Diego metro area, call Progent at 800-462-8800 or see Contact Progent.