Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyberplague that presents an existential threat for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict harm. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more as yet unnamed viruses, not only encrypt on-line information but also infiltrate many configured system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can render any recovery impossible and basically sets the entire system back to square one.
Recovering services and data after a crypto-ransomware outage becomes a sprint against time as the victim struggles to contain the damage and cleanup the virus and to restore business-critical operations. Since ransomware requires time to replicate, penetrations are often launched during nights and weekends, when attacks may take longer to notice. This multiplies the difficulty of rapidly assembling and coordinating a qualified mitigation team.
Progent offers an assortment of services for protecting Beverly Hills enterprises from crypto-ransomware attacks. Among these are user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security gateways with AI technology to intelligently discover and disable zero-day threats. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and perseverance to re-deploy a breached system as soon as possible.
Progent's Ransomware Restoration Help
Following a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt all your files. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to piece back together the essential components of your Information Technology environment. Without access to essential data backups, this requires a broad complement of skill sets, well-coordinated team management, and the willingness to work continuously until the job is completed.
For two decades, Progent has provided expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise provides Progent the capability to efficiently identify important systems and organize the surviving components of your computer network environment following a crypto-ransomware penetration and configure them into an operational network.
Progent's recovery group utilizes top notch project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology staff to prioritize tasks and to put essential services back online as soon as humanly possible.
Customer Story: A Successful Crypto-Ransomware Attack Recovery
A small business escalated to Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, suspected of using algorithms leaked from America’s National Security Agency. Ryuk goes after specific businesses with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has about 500 staff members. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than $200K) and hoping for good luck, but in the end made the decision to use Progent.
"I cannot speak enough about the help Progent gave us during the most stressful period of (our) businesses existence. We had little choice but to pay the criminal gangs if it wasn’t for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and critical servers back sooner than one week was earth shattering. Each staff member I talked with or e-mailed at Progent was totally committed on getting my company operational and was working non-stop on our behalf."
Progent worked with the customer to quickly understand and assign priority to the most important applications that needed to be restored in order to continue company functions:
To begin, Progent followed Anti-virus incident response best practices by isolating and removing active viruses. Progent then initiated the work of restoring Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Active Directory, and the client's financials and MRP applications utilized Microsoft SQL, which depends on Active Directory services for authentication to the databases.
- Active Directory (AD)
- Microsoft Exchange
In less than 2 days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on the most important systems. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on team PCs and laptops to recover mail information. A not too old off-line backup of the businesses manufacturing software made it possible to return these vital programs back on-line. Although a large amount of work needed to be completed to recover completely from the Ryuk event, essential systems were returned to operations rapidly:
"For the most part, the production line operation did not miss a beat and we made all customer orders."
During the following month important milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:
- In-house web applications were restored with no loss of data.
- The MailStore Microsoft Exchange Server containing more than 4 million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were fully operational.
- A new Palo Alto 850 firewall was set up.
- Nearly all of the user desktops were operational.
"A huge amount of what went on those first few days is mostly a blur for me, but my team will not forget the dedication each and every one of the team put in to give us our business back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This time was a Herculean accomplishment."
A likely enterprise-killing catastrophe was averted due to hard-working experts, a wide range of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware incident detailed here would have been blocked with modern cyber security technology and best practices, staff training, and well thought out incident response procedures for data backup and applying software patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for allowing me to get rested after we got over the initial push. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist