Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations unprepared for an attack. Different iterations of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and continue to inflict harm. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as additional as yet unnamed malware, not only do encryption of online data but also infect most available system backup. Files synchronized to cloud environments can also be rendered useless. In a poorly designed system, it can make automated recovery useless and basically knocks the network back to zero.
Getting back online applications and data after a ransomware attack becomes a sprint against the clock as the targeted business struggles to contain the damage and cleanup the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are often launched during weekends and nights, when successful attacks in many cases take more time to recognize. This compounds the difficulty of promptly mobilizing and orchestrating an experienced mitigation team.
Progent makes available a variety of support services for securing Birmingham organizations from ransomware attacks. Among these are team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with artificial intelligence capabilities to automatically detect and suppress new cyber attacks. Progent also offers the assistance of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the keys to decipher any or all of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to re-install the essential parts of your IT environment. Without the availability of complete system backups, this requires a broad complement of skill sets, professional team management, and the ability to work continuously until the recovery project is completed.
For two decades, Progent has offered certified expert Information Technology services for companies throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience affords Progent the ability to knowledgably determine important systems and re-organize the remaining components of your computer network environment after a ransomware penetration and assemble them into a functioning system.
Progent's ransomware group has best of breed project management applications to orchestrate the complex recovery process. Progent knows the urgency of working swiftly and in unison with a client's management and IT team members to prioritize tasks and to put essential services back on-line as soon as possible.
Business Case Study: A Successful Ransomware Virus Response
A business engaged Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean state sponsored hackers, suspected of adopting technology leaked from Americaís NSA organization. Ryuk seeks specific organizations with little room for operational disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but in the end called Progent.
"I canít tell you enough in regards to the support Progent provided us throughout the most fearful period of (our) companyís existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent team afforded us. The fact that you could get our messaging and critical applications back into operation in less than five days was amazing. Each consultant I interacted with or e-mailed at Progent was totally committed on getting our company operational and was working non-stop to bail us out."
Progent worked hand in hand the customer to quickly get our arms around and assign priority to the mission critical elements that had to be addressed to make it possible to resume departmental functions:
To start, Progent adhered to AV/Malware Processes incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then started the work of bringing back online Microsoft AD, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's MRP software used Microsoft SQL Server, which requires Active Directory services for authentication to the database.
- Windows Active Directory
- Electronic Messaging
- MRP System
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery on mission critical systems. All Exchange Server data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on staff PCs and laptops to recover email messages. A recent off-line backup of the customerís accounting/MRP systems made them able to return these essential services back online for users. Although a lot of work was left to recover totally from the Ryuk attack, core systems were recovered quickly:
"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer deliverables."
Throughout the following few weeks critical milestones in the restoration project were completed through close collaboration between Progent engineers and the customer:
- Internal web sites were brought back up without losing any data.
- The MailStore Exchange Server with over 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user desktops and notebooks were back into operation.
"Much of what went on that first week is mostly a haze for me, but I will not soon forget the countless hours each of the team put in to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was the most impressive ever."
A possible enterprise-killing catastrophe was averted through the efforts of top-tier experts, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here should have been blocked with advanced cyber security technology solutions and security best practices, staff education, and appropriate incident response procedures for backup and applying software patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get rested after we made it through the initial push. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist