Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an assault. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as daily unnamed viruses, not only do encryption of on-line data but also infiltrate many available system restores and backups. Information synched to cloud environments can also be rendered useless. In a poorly architected environment, it can make any restore operations useless and effectively sets the network back to square one.
Getting back on-line programs and data following a ransomware outage becomes a race against time as the victim struggles to stop the spread and cleanup the crypto-ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, attacks are frequently sprung on weekends and holidays, when penetrations tend to take more time to identify. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.
Progent makes available a variety of services for protecting Barra da Tijuca enterprises from crypto-ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat protection to detect and extinguish zero-day modern malware assaults. Progent in addition offers the services of experienced ransomware recovery professionals with the talent and perseverance to reconstruct a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to decrypt all your files. Kaspersky ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The other path is to re-install the mission-critical elements of your IT environment. Absent access to full data backups, this requires a broad range of skill sets, top notch project management, and the ability to work non-stop until the recovery project is finished.
For two decades, Progent has made available professional IT services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of experience provides Progent the ability to rapidly understand important systems and consolidate the surviving pieces of your computer network environment following a crypto-ransomware event and rebuild them into an operational system.
Progent's ransomware team of experts deploys state-of-the-art project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical systems back on-line as soon as possible.
Business Case Study: A Successful Ransomware Incident Restoration
A customer engaged Progent after their company was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean state criminal gangs, suspected of adopting techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with little tolerance for disruption and is among the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago with about 500 workers. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I cannot thank you enough in regards to the expertise Progent gave us during the most fearful time of (our) businesses survival. We had little choice but to pay the Hackers except for the confidence the Progent team provided us. That you were able to get our e-mail and critical servers back faster than one week was amazing. Each expert I worked with or e-mailed at Progent was laser focused on getting our system up and was working 24 by 7 to bail us out."
Progent worked with the customer to quickly get our arms around and prioritize the key services that had to be addressed to make it possible to restart business functions:
To begin, Progent followed Anti-virus incident mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the task of rebuilding Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the customer's accounting and MRP applications leveraged Microsoft SQL Server, which requires Windows AD for access to the database.
- Active Directory
- Electronic Mail
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then assisted with setup and storage recovery on key systems. All Exchange Server ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Email Offline Data Files) on team PCs in order to recover email data. A not too old off-line backup of the customer's financials/MRP software made them able to return these required programs back servicing users. Although significant work was left to recover totally from the Ryuk virus, essential services were restored quickly:
"For the most part, the manufacturing operation never missed a beat and we delivered all customer orders."
Over the next month critical milestones in the recovery process were completed through close cooperation between Progent team members and the customer:
- Self-hosted web applications were returned to operation with no loss of data.
- The MailStore Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were 100% functional.
- A new Palo Alto Networks 850 security appliance was installed.
- Most of the desktop computers were operational.
"A lot of what happened in the initial days is mostly a blur for me, but my team will not forget the commitment each of you accomplished to help get our business back. I've been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a testament to your capabilities."
A possible business disaster was evaded through the efforts of top-tier professionals, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration described here could have been identified and prevented with current cyber security systems and best practices, staff education, and well designed incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get some sleep after we got through the initial fire. Everyone did an incredible effort, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Barra da Tijuca
For ransomware system recovery consulting services in the Barra da Tijuca metro area, phone Progent at 800-462-8800 or go to Contact Progent.