Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware has become a modern cyberplague that presents an existential danger for organizations vulnerable to an attack. Versions of crypto-ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and continue to cause damage. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more as yet unnamed newcomers, not only do encryption of online critical data but also infiltrate any configured system backup. Information synched to cloud environments can also be rendered useless. In a poorly designed environment, it can make automatic recovery impossible and basically knocks the datacenter back to square one.
Getting back online applications and data following a ransomware outage becomes a race against the clock as the targeted business fights to contain and eradicate the virus and to restore mission-critical operations. Since ransomware takes time to replicate, assaults are usually sprung at night, when successful attacks tend to take longer to detect. This compounds the difficulty of promptly marshalling and organizing an experienced response team.
Progent has a range of help services for protecting Adelaide businesses from crypto-ransomware attacks. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with machine learning capabilities to automatically detect and quarantine zero-day cyber threats. Progent in addition offers the services of experienced ransomware recovery engineers with the skills and commitment to restore a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to unencrypt all your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to re-install the vital parts of your IT environment. Absent the availability of essential information backups, this calls for a broad range of skill sets, top notch project management, and the capability to work 24x7 until the recovery project is finished.
For twenty years, Progent has made available professional Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise provides Progent the skills to knowledgably ascertain necessary systems and integrate the remaining parts of your network environment after a ransomware event and assemble them into an operational network.
Progent's recovery group deploys top notch project management tools to coordinate the complex recovery process. Progent knows the importance of acting swiftly and together with a client's management and Information Technology staff to prioritize tasks and to put essential systems back online as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Virus Restoration
A small business contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored cybercriminals, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most lucrative instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but in the end utilized Progent.
"I canít tell you enough in regards to the help Progent gave us during the most fearful period of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent team provided us. That you were able to get our e-mail and key servers back into operation faster than 1 week was amazing. Each expert I talked with or e-mailed at Progent was totally committed on getting our system up and was working all day and night on our behalf."
Progent worked with the client to quickly identify and prioritize the essential services that needed to be restored to make it possible to continue business functions:
To start, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the steps of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not function without Active Directory, and the businessesí accounting and MRP system utilized SQL Server, which requires Active Directory services for authentication to the data.
- Active Directory (AD)
- Microsoft Exchange
In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery on critical servers. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover email messages. A recent offline backup of the customerís accounting/MRP software made it possible to recover these required programs back on-line. Although major work remained to recover fully from the Ryuk damage, essential services were restored rapidly:
"For the most part, the production operation was never shut down and we delivered all customer orders."
Over the following few weeks critical milestones in the restoration project were achieved through close cooperation between Progent engineers and the client:
- Internal web applications were brought back up without losing any information.
- The MailStore Server exceeding four million archived messages was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- Most of the user desktops and notebooks were fully operational.
"Much of what occurred in the initial days is nearly entirely a haze for me, but my management will not soon forget the care each and every one of the team accomplished to help get our company back. Iíve utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."
A potential business-killing disaster was evaded by top-tier professionals, a wide array of knowledge, and tight teamwork. Although in post mortem the ransomware penetration described here could have been shut down with current cyber security systems and ISO/IEC 27001 best practices, team training, and well thought out incident response procedures for data protection and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get rested after we got through the initial push. All of you did an incredible job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist