Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus frequent unnamed viruses, not only do encryption of on-line data files but also infiltrate most accessible system restores and backups. Files synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make automatic restore operations hopeless and effectively sets the datacenter back to square one.
Restoring programs and data following a crypto-ransomware attack becomes a sprint against time as the targeted business tries its best to contain and eradicate the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that ransomware needs time to replicate, attacks are frequently sprung at night, when attacks in many cases take more time to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced response team.
Progent offers a variety of services for protecting Irving businesses from crypto-ransomware attacks. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based cyberthreat defense to identify and disable day-zero malware attacks. Progent in addition offers the assistance of expert ransomware recovery engineers with the talent and perseverance to reconstruct a breached system as soon as possible.
Progent's Ransomware Restoration Help
After a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to decrypt all your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The fallback is to re-install the mission-critical components of your IT environment. Without the availability of essential information backups, this calls for a wide complement of skills, professional team management, and the willingness to work continuously until the job is complete.
For twenty years, Progent has provided professional IT services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the skills to knowledgably determine necessary systems and re-organize the remaining parts of your Information Technology system after a ransomware event and rebuild them into a functioning system.
Progent's ransomware group utilizes top notch project management applications to orchestrate the complicated restoration process. Progent knows the importance of acting quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to get critical applications back on-line as soon as humanly possible.
Client Case Study: A Successful Ransomware Virus Response
A business hired Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, possibly using approaches exposed from the U.S. NSA organization. Ryuk targets specific businesses with little room for disruption and is one of the most profitable instances of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had frozen all company operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end engaged Progent.
"I can't say enough about the support Progent provided us during the most critical period of (our) businesses life. We would have paid the Hackers if it wasn't for the confidence the Progent group gave us. The fact that you were able to get our messaging and critical servers back online sooner than one week was amazing. Every single expert I worked with or communicated with at Progent was absolutely committed on getting our company operational and was working non-stop on our behalf."
Progent worked together with the client to rapidly determine and assign priority to the key applications that had to be addressed to make it possible to restart departmental functions:
To begin, Progent followed Anti-virus event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the work of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange messaging will not work without AD, and the businesses' accounting and MRP software utilized SQL Server, which requires Active Directory for authentication to the data.
- Microsoft Active Directory
- Microsoft Exchange Email
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery on the most important servers. All Exchange ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the businesses financials/MRP systems made them able to return these essential applications back on-line. Although major work still had to be done to recover totally from the Ryuk virus, the most important services were restored quickly:
"For the most part, the production operation never missed a beat and we delivered all customer sales."
Throughout the next couple of weeks key milestones in the recovery process were accomplished through close collaboration between Progent team members and the client:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% restored.
- A new Palo Alto 850 security appliance was deployed.
- 90% of the user PCs were being used by staff.
"A huge amount of what happened in the initial days is nearly entirely a fog for me, but I will not forget the urgency each of your team put in to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This situation was a life saver."
A possible business-killing disaster was avoided due to results-oriented professionals, a wide spectrum of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration described here should have been identified and blocked with modern security technology solutions and recognized best practices, user education, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for allowing me to get some sleep after we made it through the most critical parts. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Irving
For ransomware cleanup consulting services in the Irving metro area, call Progent at 800-462-8800 or go to Contact Progent.