Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and still inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as daily as yet unnamed viruses, not only do encryption of on-line critical data but also infiltrate all accessible system restores and backups. Information synched to cloud environments can also be corrupted. In a poorly designed system, this can render automatic restoration useless and effectively sets the entire system back to zero.
Getting back services and information following a crypto-ransomware event becomes a race against the clock as the targeted organization fights to contain and remove the crypto-ransomware and to resume business-critical activity. Since crypto-ransomware takes time to spread, attacks are often sprung on weekends and holidays, when successful attacks tend to take longer to identify. This compounds the difficulty of promptly mobilizing and coordinating an experienced mitigation team.
Progent offers an assortment of services for protecting Beverly Hills businesses from ransomware attacks. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with machine learning capabilities to intelligently discover and extinguish new threats. Progent also offers the assistance of seasoned crypto-ransomware recovery engineers with the track record and commitment to rebuild a breached network as quickly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the keys to decrypt any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the vital elements of your IT environment. Absent the availability of full data backups, this calls for a broad complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is over.
For decades, Progent has offered expert Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the ability to quickly understand critical systems and organize the surviving pieces of your computer network environment following a ransomware penetration and assemble them into a functioning network.
Progent's security team of experts utilizes powerful project management systems to coordinate the sophisticated recovery process. Progent understands the importance of acting quickly and in unison with a client's management and Information Technology team members to prioritize tasks and to put key applications back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their company was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, possibly using strategies leaked from the United States National Security Agency. Ryuk targets specific organizations with limited ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I cannot thank you enough about the care Progent provided us throughout the most fearful period of (our) companyís survival. We may have had to pay the cyber criminals except for the confidence the Progent team gave us. The fact that you were able to get our messaging and essential applications back faster than a week was earth shattering. Each staff member I talked with or texted at Progent was absolutely committed on getting our company operational and was working at all hours on our behalf."
Progent worked with the customer to quickly identify and prioritize the most important systems that needed to be addressed in order to restart business operations:
To start, Progent followed ransomware event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of rebuilding Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the customerís MRP applications used SQL Server, which needs Active Directory for security authorization to the data.
- Windows Active Directory
- Exchange Server
In less than 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of key systems. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Offline Data Files) on user PCs in order to recover email data. A not too old offline backup of the client's financials/MRP software made it possible to return these required programs back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, critical systems were restored quickly:
"For the most part, the assembly line operation showed little impact and we delivered all customer shipments."
During the following month key milestones in the restoration process were completed in close collaboration between Progent consultants and the client:
- In-house web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory functions were completely operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- 90% of the user desktops and notebooks were being used by staff.
"So much of what happened that first week is nearly entirely a haze for me, but my team will not soon forget the dedication each and every one of you accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This time was the most impressive ever."
A potential enterprise-killing catastrophe was dodged due to hard-working experts, a wide array of IT skills, and tight collaboration. Although in retrospect the ransomware virus attack detailed here would have been blocked with current cyber security solutions and ISO/IEC 27001 best practices, team education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for letting me get rested after we got through the initial fire. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Beverly Hills
For ransomware recovery consulting services in the Beverly Hills area, call Progent at 800-462-8800 or see Contact Progent.