Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become a modern cyberplague that represents an extinction-level danger for organizations vulnerable to an attack. Different versions of crypto-ransomware such as Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict damage. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with daily as yet unnamed newcomers, not only do encryption of on-line critical data but also infiltrate any configured system backup. Information synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, it can make any restore operations impossible and effectively knocks the network back to square one.
Getting back on-line services and information following a crypto-ransomware outage becomes a race against time as the targeted organization tries its best to contain the damage and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to spread, attacks are usually sprung on weekends, when penetrations tend to take more time to detect. This multiplies the difficulty of rapidly marshalling and organizing a qualified mitigation team.
Progent has a range of help services for protecting Birmingham enterprises from ransomware attacks. These include staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response using SentinelOne's AI-based cyberthreat protection to detect and quarantine day-zero modern malware attacks. Progent in addition offers the services of expert ransomware recovery consultants with the track record and perseverance to restore a breached system as urgently as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the keys to decipher all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The other path is to piece back together the mission-critical parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide complement of skills, top notch team management, and the ability to work non-stop until the job is over.
For two decades, Progent has offered certified expert Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the skills to quickly understand critical systems and consolidate the remaining pieces of your IT environment after a ransomware penetration and configure them into a functioning system.
Progent's recovery group utilizes powerful project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and together with a customer's management and IT staff to assign priority to tasks and to get the most important services back on-line as soon as possible.
Client Case Study: A Successful Ransomware Incident Response
A client hired Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, possibly adopting strategies exposed from the United States National Security Agency. Ryuk attacks specific businesses with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with around 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing processes. The majority of the client's data protection had been online at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.
"I can't speak enough about the support Progent provided us during the most stressful period of (our) company's existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent group gave us. The fact that you could get our e-mail and essential applications back in less than seven days was amazing. Each expert I interacted with or communicated with at Progent was absolutely committed on getting us working again and was working day and night to bail us out."
Progent worked hand in hand the client to quickly identify and assign priority to the critical applications that had to be addressed in order to continue business functions:
To begin, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the work of recovering Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without Active Directory, and the client's MRP system leveraged Microsoft SQL, which needs Windows AD for access to the database.
- Windows Active Directory
- Electronic Messaging
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated rebuilding and hard drive recovery of critical servers. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover mail data. A not too old offline backup of the client's accounting/ERP systems made it possible to recover these essential services back online. Although major work still had to be done to recover fully from the Ryuk event, essential systems were recovered quickly:
"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."
Over the next few weeks key milestones in the recovery project were made in close cooperation between Progent engineers and the client:
- Internal web sites were returned to operation without losing any data.
- The MailStore Server containing more than 4 million historical messages was restored to operations and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
- A new Palo Alto Networks 850 firewall was installed.
- 90% of the desktop computers were back into operation.
"A huge amount of what was accomplished in the early hours is nearly entirely a fog for me, but we will not forget the dedication each and every one of your team accomplished to help get our business back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."
A potential business catastrophe was evaded due to dedicated professionals, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here would have been identified and stopped with advanced cyber security solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for making it so I could get some sleep after we made it past the first week. All of you did an amazing job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting Services in Birmingham
For ransomware recovery services in the Birmingham metro area, call Progent at 800-462-8800 or visit Contact Progent.