Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyberplague that poses an existential threat for businesses of all sizes unprepared for an attack. Versions of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus additional as yet unnamed viruses, not only do encryption of on-line information but also infiltrate many available system backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, this can render any restore operations impossible and basically knocks the entire system back to square one.
Retrieving services and information after a ransomware attack becomes a sprint against the clock as the victim fights to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Since crypto-ransomware takes time to move laterally, assaults are frequently launched during nights and weekends, when successful penetrations tend to take more time to identify. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent offers a range of support services for protecting Bellevue businesses from ransomware attacks. These include user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with machine learning capabilities to automatically detect and disable new cyber threats. Progent also offers the services of seasoned crypto-ransomware recovery professionals with the skills and commitment to reconstruct a compromised system as rapidly as possible.
Progent's Ransomware Recovery Support Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the keys to decipher any or all of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000 for small organizations. The other path is to setup from scratch the essential parts of your Information Technology environment. Absent access to essential information backups, this requires a broad complement of skills, top notch team management, and the ability to work 24x7 until the job is done.
For decades, Progent has offered expert Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the capability to efficiently ascertain necessary systems and consolidate the remaining components of your computer network system following a crypto-ransomware penetration and assemble them into an operational system.
Progent's security group has powerful project management applications to coordinate the complex recovery process. Progent appreciates the importance of working rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to get critical services back on-line as soon as humanly possible.
Customer Story: A Successful Ransomware Penetration Restoration
A small business sought out Progent after their network was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of adopting technology leaked from the U.S. NSA organization. Ryuk seeks specific organizations with little room for operational disruption and is among the most profitable instances of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago and has around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the attack and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for good luck, but ultimately brought in Progent.
"I canít speak enough about the care Progent gave us throughout the most stressful time of (our) businesses life. We may have had to pay the cyber criminals if not for the confidence the Progent team afforded us. That you were able to get our e-mail and key applications back into operation faster than 1 week was earth shattering. Each expert I spoke to or e-mailed at Progent was amazingly focused on getting us working again and was working non-stop on our behalf."
Progent worked with the customer to quickly identify and prioritize the critical areas that needed to be recovered to make it possible to restart departmental operations:
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by halting the spread and disinfecting systems. Progent then started the work of restoring Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without Active Directory, and the businessesí accounting and MRP system leveraged SQL Server, which needs Active Directory services for access to the database.
- Active Directory
- Exchange Server
- Accounting and Manufacturing Software
In less than two days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then completed reinstallations and storage recovery of key servers. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on team PCs in order to recover email messages. A recent offline backup of the customerís accounting/ERP software made them able to recover these essential applications back servicing users. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were restored rapidly:
"For the most part, the production line operation was never shut down and we produced all customer shipments."
During the next couple of weeks key milestones in the restoration process were completed through tight cooperation between Progent engineers and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and accessible to users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully functional.
- A new Palo Alto Networks 850 firewall was set up and programmed.
- Nearly all of the desktops and laptops were operational.
"Much of what transpired those first few days is nearly entirely a blur for me, but my team will not soon forget the dedication all of you accomplished to give us our business back. I have been working together with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a life saver."
A possible business-killing catastrophe was avoided by hard-working experts, a wide range of technical expertise, and close teamwork. Although in hindsight the ransomware virus incident described here should have been identified and stopped with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for data protection and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for making it so I could get some sleep after we got over the most critical parts. All of you did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist