Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, plus frequent as yet unnamed viruses, not only encrypt on-line data files but also infiltrate most accessible system backups. Information synched to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can make automatic restoration hopeless and effectively knocks the entire system back to square one.
Getting back on-line services and data after a crypto-ransomware intrusion becomes a race against the clock as the victim fights to stop the spread and cleanup the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, attacks are usually sprung at night, when successful attacks tend to take more time to uncover. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent provides a variety of services for securing Belo Horizonte enterprises from ransomware attacks. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with AI capabilities to automatically identify and disable new cyber threats. Progent also offers the assistance of experienced ransomware recovery consultants with the track record and perseverance to reconstruct a compromised network as soon as possible.
Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decipher all your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The alternative is to re-install the essential components of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of skill sets, top notch team management, and the capability to work non-stop until the recovery project is completed.
For decades, Progent has offered certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the skills to rapidly ascertain important systems and organize the remaining components of your computer network system after a ransomware event and configure them into a functioning system.
Progent's security team deploys powerful project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of acting swiftly and in unison with a client's management and IT resources to assign priority to tasks and to get key systems back online as fast as possible.
Case Study: A Successful Crypto-Ransomware Virus Response
A small business sought out Progent after their network was attacked by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly using technology exposed from the U.S. NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most profitable examples of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with about 500 employees. The Ryuk attack had disabled all business operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were destroyed. The client was evaluating paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately brought in Progent.
"I cannot say enough about the help Progent gave us during the most stressful time of (our) companyís survival. We may have had to pay the cybercriminals except for the confidence the Progent group provided us. That you could get our messaging and essential applications back faster than one week was something I thought impossible. Each staff member I interacted with or messaged at Progent was hell bent on getting my company operational and was working at all hours on our behalf."
Progent worked together with the client to quickly get our arms around and prioritize the most important services that needed to be restored in order to restart business operations:
To begin, Progent followed ransomware event mitigation best practices by stopping lateral movement and removing active viruses. Progent then began the task of recovering Windows Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businessesí accounting and MRP software utilized Microsoft SQL, which requires Active Directory for security authorization to the data.
- Active Directory
In less than two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated setup and storage recovery of critical servers. All Exchange ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST data files (Outlook Offline Folder Files) on team workstations and laptops to recover email information. A not too old offline backup of the customerís manufacturing software made it possible to recover these essential programs back online for users. Although major work needed to be completed to recover fully from the Ryuk virus, critical systems were recovered quickly:
"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."
Over the next month key milestones in the restoration project were achieved through tight cooperation between Progent consultants and the customer:
- Self-hosted web sites were returned to operation with no loss of information.
- The MailStore Exchange Server exceeding four million historical emails was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
- A new Palo Alto 850 firewall was set up.
- 90% of the user PCs were back into operation.
"A lot of what transpired those first few days is nearly entirely a fog for me, but our team will not forget the urgency all of you put in to give us our business back. I have entrusted Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This event was the most impressive ever."
A likely enterprise-killing catastrophe was averted by dedicated professionals, a wide spectrum of technical expertise, and close teamwork. Although in hindsight the ransomware virus incident described here should have been shut down with modern security technology solutions and best practices, staff training, and well designed incident response procedures for information protection and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, removal, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for allowing me to get some sleep after we made it over the first week. All of you did an amazing effort, and if anyone is in the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist