Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for organizations vulnerable to an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as frequent as yet unnamed viruses, not only do encryption of on-line critical data but also infiltrate any configured system restores and backups. Data synchronized to cloud environments can also be rendered useless. In a poorly architected environment, it can make automatic restoration hopeless and effectively sets the datacenter back to square one.
Recovering services and information following a ransomware outage becomes a race against time as the victim fights to contain and remove the ransomware and to resume mission-critical activity. Because ransomware requires time to spread, attacks are usually sprung at night, when successful penetrations tend to take more time to discover. This compounds the difficulty of promptly marshalling and organizing a qualified mitigation team.
Progent makes available an assortment of solutions for protecting Atlanta businesses from ransomware events. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to detect and extinguish zero-day modern malware assaults. Progent in addition can provide the services of experienced crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will return the needed keys to decrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for small organizations. The other path is to re-install the vital parts of your IT environment. Without access to full data backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work continuously until the job is complete.
For decades, Progent has provided expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience affords Progent the capability to knowledgably determine necessary systems and organize the surviving parts of your Information Technology environment following a ransomware event and assemble them into an operational network.
Progent's recovery team utilizes state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of working rapidly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to put essential applications back on line as soon as humanly possible.
Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A client escalated to Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, possibly adopting algorithms leaked from America's NSA organization. Ryuk goes after specific organizations with little ability to sustain disruption and is one of the most profitable instances of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and praying for the best, but ultimately called Progent.
"I cannot speak enough in regards to the support Progent gave us during the most critical period of (our) businesses life. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail and critical servers back into operation sooner than one week was earth shattering. Each staff member I got help from or communicated with at Progent was urgently focused on getting my company operational and was working at all hours to bail us out."
Progent worked hand in hand the client to rapidly get our arms around and assign priority to the key services that needed to be recovered in order to restart departmental functions:
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the task of rebuilding Microsoft AD, the key technology of enterprise networks built on Microsoft technology. Exchange messaging will not function without AD, and the customer's MRP applications used Microsoft SQL Server, which needs Windows AD for security authorization to the data.
- Windows Active Directory
Within 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then initiated rebuilding and hard drive recovery on key applications. All Microsoft Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Offline Data Files) on various PCs in order to recover email messages. A not too old offline backup of the customer's financials/MRP software made them able to return these vital programs back servicing users. Although a large amount of work remained to recover completely from the Ryuk attack, essential services were recovered rapidly:
"For the most part, the manufacturing operation did not miss a beat and we produced all customer deliverables."
During the next couple of weeks important milestones in the restoration process were made through tight collaboration between Progent engineers and the customer:
- Self-hosted web applications were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were completely functional.
- A new Palo Alto 850 firewall was installed.
- Most of the user desktops and notebooks were operational.
"So much of what went on during the initial response is mostly a fog for me, but my management will not forget the care all of your team put in to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was a Herculean accomplishment."
A likely business disaster was avoided by results-oriented experts, a broad array of subject matter expertise, and close collaboration. Although in retrospect the ransomware penetration detailed here could have been shut down with up-to-date cyber security technology solutions and best practices, team training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, cleanup, and information systems disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it over the initial push. All of you did an amazing job, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Atlanta
For ransomware system recovery services in the Atlanta metro area, call Progent at 800-462-8800 or visit Contact Progent.