Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for organizations vulnerable to an attack. Different iterations of ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and continue to cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as additional as yet unnamed viruses, not only do encryption of on-line files but also infiltrate most configured system restores and backups. Information synched to cloud environments can also be ransomed. In a poorly designed system, this can render any restore operations hopeless and effectively knocks the network back to zero.
Getting back online applications and information following a ransomware outage becomes a race against time as the targeted organization fights to stop the spread and clear the ransomware and to resume enterprise-critical operations. Due to the fact that ransomware needs time to spread, penetrations are frequently launched on weekends and holidays, when successful attacks may take more time to notice. This compounds the difficulty of quickly mobilizing and organizing an experienced mitigation team.
Progent has a variety of support services for securing Barra da Tijuca organizations from crypto-ransomware attacks. Among these are staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with artificial intelligence capabilities to intelligently detect and suppress new cyber threats. Progent also provides the services of experienced ransomware recovery professionals with the skills and perseverance to reconstruct a breached environment as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the keys to unencrypt all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to piece back together the essential elements of your IT environment. Without the availability of complete data backups, this calls for a broad complement of skill sets, well-coordinated project management, and the willingness to work 24x7 until the job is over.
For twenty years, Progent has offered certified expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience provides Progent the capability to quickly determine necessary systems and re-organize the remaining parts of your IT environment after a ransomware attack and configure them into an operational network.
Progent's security team of experts uses powerful project management systems to coordinate the complex restoration process. Progent appreciates the importance of acting swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical applications back on line as soon as possible.
Client Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of adopting strategies exposed from the United States NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most lucrative incarnations of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end engaged Progent.
"I cannot tell you enough about the support Progent provided us throughout the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you could get our e-mail and production servers back into operation faster than one week was incredible. Each expert I got help from or messaged at Progent was totally committed on getting us working again and was working at all hours to bail us out."
Progent worked with the client to quickly understand and assign priority to the mission critical systems that had to be recovered in order to resume company functions:
To get going, Progent followed ransomware penetration response best practices by isolating and cleaning up infected systems. Progent then initiated the work of restoring Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not function without Windows AD, and the customer’s MRP software leveraged SQL Server, which requires Windows AD for authentication to the data.
- Microsoft Active Directory
- Electronic Mail
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then completed rebuilding and hard drive recovery of critical systems. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Data Files) on various PCs and laptops in order to recover mail information. A not too old offline backup of the businesses accounting/MRP software made them able to restore these essential services back available to users. Although significant work still had to be done to recover completely from the Ryuk virus, core systems were restored quickly:
"For the most part, the production line operation survived unscathed and we made all customer shipments."
Over the next few weeks critical milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the customer:
- In-house web applications were restored without losing any data.
- The MailStore Server with over four million archived emails was spun up and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100% operational.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Ninety percent of the user workstations were being used by staff.
"Much of what happened that first week is nearly entirely a fog for me, but our team will not soon forget the urgency all of you accomplished to give us our business back. I’ve entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has come through and delivered as promised. This time was a testament to your capabilities."
A probable enterprise-killing catastrophe was averted with hard-working professionals, a wide array of IT skills, and close teamwork. Although in hindsight the crypto-ransomware virus attack detailed here should have been prevented with advanced security technology and recognized best practices, team education, and well thought out incident response procedures for data protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get rested after we made it through the first week. All of you did an fabulous effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist