Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for organizations vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and still cause havoc. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as more as yet unnamed malware, not only encrypt online data but also infect most available system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can render any restoration hopeless and effectively sets the network back to zero.
Retrieving programs and data following a ransomware outage becomes a race against time as the targeted business struggles to stop the spread and clear the crypto-ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are often sprung at night, when attacks tend to take longer to recognize. This compounds the difficulty of promptly mobilizing and coordinating a capable response team.
Progent makes available a range of services for securing Anaheim organizations from ransomware events. These include staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security gateways with artificial intelligence technology to automatically discover and suppress new cyber attacks. Progent also provides the services of veteran ransomware recovery consultants with the talent and perseverance to re-deploy a breached network as quickly as possible.
Progent's Ransomware Restoration Help
Following a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decipher any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to piece back together the critical elements of your Information Technology environment. Without the availability of essential information backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work non-stop until the job is completed.
For twenty years, Progent has provided certified expert IT services for companies throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the capability to knowledgably identify necessary systems and integrate the remaining pieces of your IT system following a crypto-ransomware penetration and configure them into a functioning network.
Progent's security group has powerful project management tools to orchestrate the complex restoration process. Progent understands the urgency of working rapidly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get critical applications back on line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Response
A business engaged Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little or no ability to sustain operational disruption and is one of the most profitable examples of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk attack had disabled all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom (in excess of $200,000) and hoping for the best, but in the end called Progent.
"I canít say enough in regards to the support Progent provided us throughout the most stressful time of (our) businesses life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent group provided us. That you were able to get our e-mail system and key servers back on-line faster than one week was amazing. Every single person I interacted with or texted at Progent was urgently focused on getting us restored and was working breakneck pace on our behalf."
Progent worked together with the customer to rapidly understand and prioritize the most important areas that had to be addressed to make it possible to restart departmental functions:
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by halting the spread and clearing infected systems. Progent then started the work of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the customerís financials and MRP system leveraged Microsoft SQL, which depends on Active Directory for security authorization to the database.
- Active Directory
- Exchange Server
- MRP System
In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished reinstallations and storage recovery of essential applications. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on user PCs and laptops in order to recover email information. A recent off-line backup of the client's accounting/ERP systems made it possible to return these essential services back on-line. Although major work needed to be completed to recover totally from the Ryuk damage, the most important systems were restored quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer orders."
During the following few weeks important milestones in the recovery process were made in tight cooperation between Progent team members and the customer:
- In-house web applications were returned to operation without losing any data.
- The MailStore Microsoft Exchange Server exceeding four million historical messages was spun up and available for users.
- CRM/Orders/Invoices/AP/Accounts Receivables/Inventory modules were fully functional.
- A new Palo Alto 850 security appliance was deployed.
- Nearly all of the desktop computers were being used by staff.
"So much of what happened during the initial response is nearly entirely a haze for me, but my team will not forget the commitment all of the team accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a life saver."
A probable business-ending disaster was evaded by results-oriented experts, a wide range of technical expertise, and tight teamwork. Although in hindsight the ransomware virus attack detailed here could have been blocked with up-to-date security solutions and recognized best practices, staff training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get some sleep after we made it past the most critical parts. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist