Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an attack. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Nephilim, plus daily unnamed viruses, not only do encryption of online data but also infiltrate many available system backups. Files replicated to the cloud can also be rendered useless. In a poorly architected environment, this can make automatic restoration hopeless and effectively knocks the network back to zero.
Restoring services and information following a crypto-ransomware attack becomes a race against the clock as the victim fights to contain and clear the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware requires time to move laterally, assaults are usually sprung during weekends and nights, when penetrations typically take more time to identify. This compounds the difficulty of promptly marshalling and coordinating a capable response team.
Progent provides a variety of support services for protecting Aurora enterprises from crypto-ransomware penetrations. These include team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to discover and suppress day-zero malware assaults. Progent also offers the assistance of expert ransomware recovery professionals with the track record and perseverance to reconstruct a compromised system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to unencrypt all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to setup from scratch the critical components of your IT environment. Without access to full data backups, this requires a broad complement of skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is finished.
For decades, Progent has offered expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise gives Progent the ability to efficiently identify critical systems and consolidate the remaining pieces of your network system following a crypto-ransomware penetration and configure them into an operational system.
Progent's recovery team utilizes powerful project management tools to coordinate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a client's management and IT resources to assign priority to tasks and to get the most important services back online as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, suspected of adopting strategies exposed from the United States National Security Agency. Ryuk seeks specific organizations with little ability to sustain disruption and is among the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago with around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately reached out to Progent.
"I can't speak enough about the care Progent provided us throughout the most fearful period of (our) businesses life. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and production applications back on-line sooner than 1 week was earth shattering. Every single person I got help from or communicated with at Progent was totally committed on getting our system up and was working breakneck pace on our behalf."
Progent worked together with the customer to quickly determine and prioritize the key services that had to be addressed in order to continue business operations:
To start, Progent adhered to Anti-virus incident response best practices by halting the spread and removing active viruses. Progent then initiated the process of recovering Microsoft AD, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' financials and MRP system utilized Microsoft SQL, which depends on Active Directory for authentication to the database.
- Active Directory
- Electronic Messaging
- Accounting and Manufacturing Software
Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then completed reinstallations and hard drive recovery on critical systems. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email information. A not too old offline backup of the customer's accounting/ERP systems made it possible to recover these vital services back on-line. Although significant work still had to be done to recover fully from the Ryuk damage, essential services were recovered rapidly:
"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."
During the following couple of weeks critical milestones in the restoration project were made in tight collaboration between Progent engineers and the client:
- In-house web sites were brought back up without losing any data.
- The MailStore Exchange Server exceeding 4 million archived messages was brought online and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully restored.
- A new Palo Alto Networks 850 security appliance was deployed.
- Nearly all of the desktop computers were functioning as before the incident.
"A huge amount of what was accomplished during the initial response is mostly a fog for me, but our team will not forget the urgency all of the team put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This event was no exception but maybe more Herculean."
A possible company-ending disaster was dodged with results-oriented professionals, a broad range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been identified and stopped with current cyber security solutions and best practices, team education, and properly executed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for letting me get some sleep after we made it through the first week. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Aurora
For ransomware recovery services in the Aurora area, call Progent at 800-462-8800 or see Contact Progent.