Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an enterprise-level danger for businesses unprepared for an assault. Multiple generations of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict harm. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily as yet unnamed viruses, not only do encryption of on-line critical data but also infect all available system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, it can render automatic restoration useless and effectively knocks the entire system back to zero.
Restoring services and data after a ransomware event becomes a sprint against time as the victim tries its best to stop the spread and clear the virus and to restore enterprise-critical operations. Due to the fact that ransomware takes time to move laterally, penetrations are usually launched on weekends and holidays, when successful penetrations tend to take more time to notice. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.
Progent has a range of solutions for securing Anaheim enterprises from crypto-ransomware attacks. Among these are team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence capabilities to intelligently detect and extinguish day-zero threats. Progent also provides the services of veteran ransomware recovery consultants with the talent and commitment to re-deploy a compromised environment as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to unencrypt any of your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The other path is to setup from scratch the key parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad range of skill sets, well-coordinated team management, and the ability to work 24x7 until the recovery project is over.
For twenty years, Progent has provided certified expert IT services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience gives Progent the skills to rapidly understand important systems and organize the surviving pieces of your network system following a ransomware event and rebuild them into a functioning network.
Progent's ransomware team of experts utilizes top notch project management tools to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key systems back on line as fast as humanly possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Recovery
A business escalated to Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored hackers, possibly using approaches leaked from the United States NSA organization. Ryuk goes after specific businesses with little tolerance for disruption and is among the most profitable iterations of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was evaluating paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.
"I canít tell you enough about the help Progent provided us throughout the most critical time of (our) companyís survival. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent team afforded us. That you could get our e-mail and production servers back online quicker than a week was incredible. Each staff member I worked with or communicated with at Progent was totally committed on getting us back on-line and was working at all hours to bail us out."
Progent worked with the client to rapidly determine and prioritize the most important areas that had to be restored in order to resume company functions:
To get going, Progent adhered to AV/Malware Processes event response industry best practices by isolating and removing active viruses. Progent then initiated the task of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customerís accounting and MRP software used Microsoft SQL, which requires Windows AD for authentication to the data.
- Active Directory (AD)
- MRP System
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then completed reinstallations and storage recovery of key systems. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Off-Line Data Files) on various workstations and laptops to recover mail messages. A not too old off-line backup of the customerís manufacturing software made them able to return these essential programs back online for users. Although a large amount of work was left to recover completely from the Ryuk event, essential services were returned to operations rapidly:
"For the most part, the assembly line operation survived unscathed and we made all customer sales."
Throughout the next few weeks important milestones in the restoration process were achieved through close cooperation between Progent engineers and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was installed and configured.
- 90% of the user workstations were being used by staff.
"A huge amount of what was accomplished during the initial response is mostly a blur for me, but we will not soon forget the care each of the team put in to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This time was a stunning achievement."
A possible business extinction disaster was avoided by top-tier professionals, a broad spectrum of IT skills, and close teamwork. Although in analyzing the event afterwards the ransomware incident described here could have been prevented with modern cyber security technology and security best practices, user education, and well designed security procedures for data backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, mitigation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we got over the initial fire. All of you did an amazing effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist