Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyberplague that poses an existential danger for organizations vulnerable to an assault. Different iterations of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent as yet unnamed viruses, not only do encryption of on-line data but also infiltrate any accessible system backup. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can render automatic restoration hopeless and basically sets the entire system back to square one.
Restoring applications and data after a ransomware event becomes a race against the clock as the targeted organization tries its best to stop lateral movement and clear the virus and to restore mission-critical activity. Since crypto-ransomware requires time to spread, assaults are usually sprung during weekends and nights, when penetrations may take longer to notice. This compounds the difficulty of promptly assembling and coordinating an experienced response team.
Progent offers a range of solutions for protecting Barra da Tijuca enterprises from crypto-ransomware attacks. These include team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with AI technology to automatically detect and extinguish zero-day threats. Progent in addition offers the services of expert ransomware recovery engineers with the track record and perseverance to rebuild a breached network as quickly as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed keys to decipher any or all of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The alternative is to piece back together the essential parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a broad complement of skill sets, professional team management, and the willingness to work continuously until the recovery project is completed.
For decades, Progent has made available professional Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly determine necessary systems and organize the remaining parts of your network environment following a crypto-ransomware attack and rebuild them into a functioning network.
Progent's security group deploys state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of working swiftly and in unison with a client's management and Information Technology staff to prioritize tasks and to put the most important systems back on-line as fast as possible.
Customer Story: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, possibly adopting strategies exposed from America’s NSA organization. Ryuk attacks specific companies with little or no room for operational disruption and is among the most profitable examples of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for the best, but ultimately reached out to Progent.
"I cannot speak enough about the care Progent gave us throughout the most fearful time of (our) businesses existence. We would have paid the Hackers if not for the confidence the Progent team gave us. That you were able to get our e-mail and important servers back on-line faster than one week was amazing. Every single expert I talked with or communicated with at Progent was urgently focused on getting us back on-line and was working day and night on our behalf."
Progent worked hand in hand the client to quickly determine and prioritize the essential applications that had to be addressed to make it possible to restart company operations:
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and clearing infected systems. Progent then started the work of bringing back online Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses’ MRP system used SQL Server, which needs Windows AD for security authorization to the databases.
- Active Directory
- Microsoft Exchange
- Accounting and Manufacturing Software
In less than two days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated setup and hard drive recovery on the most important systems. All Exchange data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Data Files) on team workstations and laptops to recover mail messages. A recent off-line backup of the businesses accounting systems made it possible to restore these required programs back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk attack, core services were returned to operations rapidly:
"For the most part, the manufacturing operation was never shut down and we delivered all customer orders."
During the following couple of weeks critical milestones in the recovery project were accomplished in close collaboration between Progent team members and the client:
- In-house web sites were restored without losing any information.
- The MailStore Server exceeding four million historical messages was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent operational.
- A new Palo Alto 850 security appliance was brought online.
- Most of the user desktops were fully operational.
"A huge amount of what transpired in the early hours is nearly entirely a haze for me, but my management will not forget the dedication each and every one of you accomplished to help get our business back. I have been working with Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."
A possible business catastrophe was evaded due to hard-working professionals, a wide array of subject matter expertise, and close collaboration. Although in hindsight the ransomware incident detailed here should have been stopped with up-to-date cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate security procedures for information backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get some sleep after we made it past the initial push. All of you did an amazing job, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist