Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as frequent as yet unnamed malware, not only do encryption of on-line data but also infiltrate most configured system backups. Files synched to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make automated restoration impossible and basically knocks the entire system back to square one.
Getting back on-line applications and data following a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement and eradicate the ransomware and to resume mission-critical operations. Because crypto-ransomware requires time to replicate, attacks are often launched on weekends and holidays, when successful penetrations in many cases take more time to detect. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.
Progent offers a variety of help services for protecting Aurora organizations from ransomware events. These include team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with AI technology to automatically detect and extinguish day-zero threats. Progent also provides the services of veteran crypto-ransomware recovery professionals with the track record and perseverance to restore a breached network as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the needed codes to unencrypt any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to piece back together the essential parts of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is finished.
For two decades, Progent has made available expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience affords Progent the skills to efficiently understand necessary systems and organize the surviving parts of your IT environment following a ransomware attack and assemble them into a functioning network.
Progent's security group uses powerful project management tools to orchestrate the complex recovery process. Progent knows the importance of working rapidly and together with a customerís management and IT resources to prioritize tasks and to get critical systems back on-line as fast as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Response
A customer hired Progent after their company was brought down by Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean government sponsored hackers, possibly adopting approaches leaked from the U.S. NSA organization. Ryuk targets specific companies with limited tolerance for disruption and is one of the most profitable versions of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk penetration had frozen all business operations and manufacturing capabilities. Most of the client's system backups had been on-line at the time of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately engaged Progent.
"I cannot thank you enough in regards to the support Progent gave us throughout the most critical time of (our) companyís life. We would have paid the hackers behind this attack if it wasnít for the confidence the Progent group provided us. That you could get our e-mail system and essential servers back sooner than one week was amazing. Each expert I talked with or texted at Progent was laser focused on getting us restored and was working breakneck pace on our behalf."
Progent worked with the customer to quickly identify and prioritize the mission critical services that had to be addressed in order to restart business operations:
To get going, Progent adhered to AV/Malware Processes event response best practices by halting the spread and disinfecting systems. Progent then began the work of recovering Microsoft AD, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the businessesí financials and MRP software utilized SQL Server, which depends on Active Directory services for security authorization to the databases.
- Active Directory (AD)
- Microsoft Exchange Email
Within two days, Progent was able to re-build Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery of key systems. All Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Data Files) on staff workstations to recover mail information. A recent offline backup of the customerís accounting/ERP systems made them able to restore these vital services back online. Although significant work remained to recover completely from the Ryuk event, critical services were recovered quickly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."
During the following month critical milestones in the restoration project were made in tight cooperation between Progent team members and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Server exceeding 4 million archived messages was brought online and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent recovered.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the user workstations were functioning as before the incident.
"A huge amount of what transpired in the early hours is mostly a blur for me, but we will not soon forget the care all of you accomplished to help get our business back. I have utilized Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was no exception but maybe more Herculean."
A possible company-ending catastrophe was dodged due to results-oriented professionals, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware attack described here would have been identified and prevented with up-to-date cyber security technology and ISO/IEC 27001 best practices, staff education, and properly executed security procedures for data backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we got through the initial fire. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Aurora
For ransomware system restoration consulting services in the Aurora area, call Progent at 800-462-8800 or go to Contact Progent.