Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become an escalating cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, along with more unnamed viruses, not only do encryption of on-line data but also infect most configured system backup. Files replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, this can make automated restoration impossible and basically knocks the entire system back to square one.
Retrieving applications and data after a ransomware event becomes a sprint against time as the targeted business tries its best to contain the damage and eradicate the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware requires time to spread, penetrations are frequently sprung on weekends, when successful attacks tend to take more time to uncover. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.
Progent has a range of solutions for protecting Allentown businesses from ransomware events. These include team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with artificial intelligence capabilities to intelligently identify and disable new cyber attacks. Progent also can provide the assistance of seasoned crypto-ransomware recovery consultants with the skills and commitment to re-deploy a breached network as quickly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The other path is to piece back together the key elements of your IT environment. Without access to complete system backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work 24x7 until the job is complete.
For twenty years, Progent has offered expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently ascertain necessary systems and consolidate the remaining components of your IT system following a crypto-ransomware event and configure them into an operational system.
Progent's ransomware group deploys powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get essential systems back online as soon as possible.
Client Case Study: A Successful Ransomware Attack Response
A client hired Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk attacks specific organizations with limited tolerance for disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with about 500 staff members. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but in the end called Progent.
"I cannot speak enough in regards to the help Progent provided us during the most fearful time of (our) companyís existence. We had little choice but to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you were able to get our e-mail and important applications back into operation in less than 1 week was incredible. Every single expert I talked with or messaged at Progent was totally committed on getting us restored and was working breakneck pace to bail us out."
Progent worked together with the client to quickly understand and prioritize the critical applications that needed to be recovered in order to restart departmental functions:
To start, Progent followed Anti-virus penetration mitigation best practices by halting the spread and clearing up compromised systems. Progent then initiated the work of recovering Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the businessesí MRP software utilized Microsoft SQL Server, which depends on Windows AD for access to the information.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then accomplished reinstallations and hard drive recovery on critical servers. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Offline Data Files) on team desktop computers in order to recover mail data. A recent off-line backup of the customerís financials/ERP software made it possible to recover these essential applications back on-line. Although major work still had to be done to recover fully from the Ryuk event, critical services were restored rapidly:
"For the most part, the manufacturing operation was never shut down and we did not miss any customer orders."
Throughout the following few weeks critical milestones in the restoration project were achieved through tight cooperation between Progent engineers and the customer:
- In-house web applications were restored without losing any information.
- The MailStore Exchange Server containing more than 4 million archived emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- 90% of the desktop computers were functioning as before the incident.
"So much of what went on in the initial days is nearly entirely a fog for me, but I will not soon forget the countless hours each and every one of your team accomplished to give us our company back. Iíve entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a Herculean accomplishment."
A likely business-ending catastrophe was avoided with hard-working professionals, a wide array of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus attack described here would have been identified and disabled with advanced security technology and security best practices, staff training, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for making it so I could get some sleep after we made it over the initial push. All of you did an amazing job, and if any of your team is in the Chicago area, dinner is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist