Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses vulnerable to an assault. Different iterations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and still inflict damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, along with more as yet unnamed malware, not only do encryption of on-line files but also infect any accessible system protection mechanisms. Files synched to the cloud can also be corrupted. In a vulnerable system, this can render any restore operations useless and basically sets the entire system back to square one.
Getting back on-line applications and data after a ransomware attack becomes a race against the clock as the targeted organization tries its best to stop the spread and eradicate the virus and to restore business-critical activity. Because crypto-ransomware needs time to replicate, attacks are usually sprung at night, when penetrations typically take longer to identify. This multiplies the difficulty of quickly marshalling and orchestrating an experienced mitigation team.
Progent provides a range of services for securing Atlanta enterprises from ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with AI technology to automatically detect and disable zero-day cyber threats. Progent in addition provides the services of seasoned crypto-ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to re-install the mission-critical parts of your IT environment. Absent access to complete system backups, this requires a broad complement of skills, top notch project management, and the willingness to work non-stop until the job is done.
For decades, Progent has offered expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the capability to rapidly determine necessary systems and integrate the remaining components of your Information Technology environment following a ransomware event and rebuild them into a functioning network.
Progent's security team utilizes state-of-the-art project management tools to orchestrate the complex recovery process. Progent appreciates the importance of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to put essential applications back on line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Attack Response
A customer sought out Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly adopting strategies leaked from the United States NSA organization. Ryuk seeks specific businesses with limited tolerance for disruption and is one of the most lucrative versions of ransomware malware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had paralyzed all business operations and manufacturing processes. The majority of the client's data protection had been online at the start of the attack and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I cannot thank you enough in regards to the expertise Progent provided us during the most critical period of (our) companyís life. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent team provided us. That you could get our e-mail and key servers back on-line quicker than one week was earth shattering. Every single expert I talked with or texted at Progent was laser focused on getting our system up and was working 24 by 7 to bail us out."
Progent worked together with the customer to rapidly understand and prioritize the mission critical areas that needed to be recovered in order to continue business functions:
To begin, Progent adhered to ransomware incident response industry best practices by halting the spread and disinfecting systems. Progent then initiated the process of rebuilding Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not operate without Active Directory, and the client's MRP system used Microsoft SQL Server, which needs Active Directory services for access to the information.
- Active Directory (AD)
In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and hard drive recovery on needed applications. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops in order to recover email messages. A not too old off-line backup of the businesses accounting/MRP software made them able to recover these essential services back available to users. Although a lot of work still had to be done to recover totally from the Ryuk virus, essential systems were recovered quickly:
"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer deliverables."
During the following few weeks important milestones in the restoration process were accomplished through tight collaboration between Progent team members and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Server exceeding 4 million archived messages was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were fully recovered.
- A new Palo Alto 850 firewall was brought online.
- Most of the desktop computers were back into operation.
"A lot of what went on that first week is nearly entirely a blur for me, but my management will not forget the commitment each of you accomplished to help get our business back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This time was no exception but maybe more Herculean."
A possible business-killing catastrophe was avoided due to results-oriented professionals, a broad spectrum of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration described here could have been identified and stopped with modern security technology and ISO/IEC 27001 best practices, user training, and appropriate security procedures for information backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, mitigation, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), Iím grateful for allowing me to get rested after we got over the most critical parts. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist