Ransomware : Your Worst Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as additional as yet unnamed newcomers, not only do encryption of online information but also infect all available system protection. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable system, it can render any restore operations hopeless and basically knocks the datacenter back to zero.
Retrieving services and data after a ransomware attack becomes a sprint against time as the victim fights to stop lateral movement and cleanup the ransomware and to resume mission-critical operations. Since ransomware requires time to replicate, attacks are frequently launched during nights and weekends, when penetrations in many cases take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating an experienced mitigation team.
Progent has a range of services for protecting Irving enterprises from ransomware attacks. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based cyberthreat protection to detect and suppress day-zero modern malware assaults. Progent also offers the services of veteran crypto-ransomware recovery professionals with the skills and commitment to rebuild a breached network as quickly as possible.
Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher all your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to piece back together the vital elements of your Information Technology environment. Absent access to full system backups, this requires a broad complement of IT skills, professional team management, and the capability to work non-stop until the recovery project is over.
For two decades, Progent has provided professional IT services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the skills to rapidly ascertain important systems and organize the remaining pieces of your Information Technology system after a ransomware penetration and assemble them into an operational system.
Progent's ransomware team of experts uses top notch project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and IT team members to prioritize tasks and to get essential systems back online as fast as possible.
Customer Case Study: A Successful Ransomware Virus Recovery
A small business contacted Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly using approaches leaked from the United States NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with about 500 workers. The Ryuk attack had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (in excess of $200,000) and praying for good luck, but ultimately made the decision to use Progent.
"I can't say enough in regards to the expertise Progent gave us during the most fearful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent experts provided us. That you could get our e-mail and critical servers back quicker than 1 week was amazing. Each expert I interacted with or communicated with at Progent was totally committed on getting our company operational and was working at all hours to bail us out."
Progent worked hand in hand the client to quickly determine and prioritize the essential areas that had to be recovered in order to continue departmental operations:
To get going, Progent adhered to Anti-virus incident mitigation best practices by halting the spread and clearing up compromised systems. Progent then initiated the work of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's MRP system utilized Microsoft SQL Server, which depends on Active Directory services for access to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
- MRP System
Within 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on mission critical servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Folder Files) on staff PCs in order to recover email information. A not too old off-line backup of the businesses manufacturing systems made them able to return these required programs back available to users. Although a lot of work still had to be done to recover fully from the Ryuk attack, the most important systems were restored rapidly:
"For the most part, the production line operation did not miss a beat and we did not miss any customer deliverables."
Throughout the next few weeks important milestones in the restoration project were achieved through close cooperation between Progent consultants and the customer:
- Internal web sites were brought back up without losing any information.
- The MailStore Server containing more than 4 million historical emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
- A new Palo Alto 850 security appliance was installed.
- Nearly all of the user workstations were back into operation.
"A lot of what transpired in the early hours is nearly entirely a fog for me, but I will not soon forget the countless hours all of the team accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This situation was no exception but maybe more Herculean."
A probable business extinction catastrophe was avoided with dedicated professionals, a broad range of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here should have been prevented with up-to-date security technology solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for data protection and applying software patches, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we made it over the initial fire. All of you did an amazing job, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Irving
For ransomware cleanup services in the Irving metro area, phone Progent at 800-462-8800 or go to Contact Progent.