Ransomware : Your Feared IT Catastrophe
Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, plus additional unnamed newcomers, not only encrypt on-line critical data but also infiltrate any available system backup. Information replicated to the cloud can also be encrypted. In a poorly designed data protection solution, it can make any restore operations useless and basically sets the network back to zero.
Retrieving applications and information after a ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and remove the crypto-ransomware and to restore business-critical operations. Since ransomware requires time to replicate, penetrations are often sprung at night, when successful attacks in many cases take longer to discover. This compounds the difficulty of promptly assembling and coordinating a qualified mitigation team.
Progent provides a variety of help services for protecting Santa Monica businesses from ransomware penetrations. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based cyberthreat protection to detect and disable zero-day modern malware attacks. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery professionals with the skills and commitment to restore a compromised network as urgently as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed keys to decipher any of your information. Kaspersky determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to re-install the essential components of your Information Technology environment. Absent access to complete data backups, this calls for a wide complement of skill sets, well-coordinated team management, and the willingness to work non-stop until the job is over.
For decades, Progent has provided expert Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to knowledgably understand critical systems and re-organize the remaining parts of your computer network system after a ransomware event and assemble them into a functioning network.
Progent's security group uses best of breed project management applications to orchestrate the complex recovery process. Progent appreciates the importance of acting swiftly and in concert with a customer's management and IT team members to prioritize tasks and to get key systems back online as fast as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Incident Response
A client escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, possibly using techniques exposed from the U.S. National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is among the most profitable iterations of crypto-ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (more than $200K) and hoping for good luck, but in the end called Progent.
"I can't speak enough in regards to the expertise Progent gave us during the most fearful period of (our) businesses life. We may have had to pay the criminal gangs if not for the confidence the Progent experts afforded us. That you could get our e-mail and essential applications back online sooner than 1 week was something I thought impossible. Every single person I spoke to or texted at Progent was totally committed on getting us operational and was working non-stop on our behalf."
Progent worked with the customer to rapidly identify and assign priority to the essential elements that had to be restored in order to resume business operations:
To get going, Progent followed Anti-virus event response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the process of recovering Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the client's financials and MRP software leveraged Microsoft SQL Server, which needs Windows AD for access to the information.
- Microsoft Active Directory
- Exchange Server
In less than two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and storage recovery of needed applications. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to recover these vital services back online for users. Although a large amount of work was left to recover totally from the Ryuk damage, the most important services were restored rapidly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer sales."
Throughout the next few weeks key milestones in the restoration process were accomplished in close cooperation between Progent team members and the client:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Exchange Server containing more than four million historical messages was brought on-line and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent operational.
- A new Palo Alto 850 security appliance was set up.
- Ninety percent of the user desktops were functioning as before the incident.
"A huge amount of what occurred those first few days is nearly entirely a haze for me, but my management will not soon forget the countless hours each and every one of the team accomplished to give us our business back. I've entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This time was no exception but maybe more Herculean."
A potential enterprise-killing disaster was averted with results-oriented professionals, a wide array of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus attack described here should have been identified and prevented with up-to-date cyber security solutions and best practices, team training, and well designed incident response procedures for data backup and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for allowing me to get rested after we got through the initial push. Everyone did an fabulous job, and if anyone is in the Chicago area, dinner is on me!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Santa Monica
For ransomware recovery services in the Santa Monica metro area, call Progent at 800-462-8800 or visit Contact Progent.