Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause destruction. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, along with daily unnamed newcomers, not only encrypt online files but also infiltrate most available system protection. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can render automatic restoration impossible and effectively knocks the entire system back to zero.
Recovering programs and information following a ransomware intrusion becomes a sprint against time as the targeted organization struggles to contain and clear the virus and to restore enterprise-critical activity. Since ransomware requires time to replicate, penetrations are usually launched on weekends, when successful attacks are likely to take more time to notice. This compounds the difficulty of quickly assembling and orchestrating a capable response team.
Progent makes available a range of support services for securing Bristol organizations from ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with machine learning capabilities to automatically detect and extinguish new cyber attacks. Progent in addition provides the services of expert ransomware recovery engineers with the talent and commitment to reconstruct a breached environment as soon as possible.
Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the codes to unencrypt all your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to setup from scratch the key components of your IT environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, professional project management, and the ability to work 24x7 until the task is finished.
For two decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of expertise provides Progent the capability to quickly identify necessary systems and consolidate the remaining pieces of your computer network system following a crypto-ransomware event and rebuild them into an operational network.
Progent's security team deploys state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent understands the importance of working quickly and in concert with a client's management and IT team members to assign priority to tasks and to put critical applications back on-line as soon as possible.
Client Case Study: A Successful Ransomware Virus Restoration
A customer contacted Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most profitable versions of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago with around 500 workers. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and hoping for good luck, but ultimately reached out to Progent.
"I cannot speak enough in regards to the care Progent gave us throughout the most stressful time of (our) businesses life. We most likely would have paid the Hackers if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our e-mail and critical servers back sooner than a week was earth shattering. Each person I interacted with or communicated with at Progent was absolutely committed on getting us back on-line and was working day and night to bail us out."
Progent worked with the client to quickly understand and prioritize the key areas that had to be addressed to make it possible to resume company operations:
To get going, Progent adhered to AV/Malware Processes event response best practices by isolating and clearing infected systems. Progent then initiated the steps of restoring Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís accounting and MRP system utilized Microsoft SQL, which needs Active Directory for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
Within two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery of essential applications. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on various workstations and laptops in order to recover email data. A not too old offline backup of the client's financials/ERP software made it possible to recover these essential services back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, the most important systems were recovered rapidly:
"For the most part, the production operation showed little impact and we did not miss any customer deliverables."
Over the next month important milestones in the restoration process were achieved through close cooperation between Progent consultants and the client:
- Self-hosted web sites were brought back up without losing any information.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100% functional.
- A new Palo Alto 850 firewall was set up and programmed.
- Nearly all of the desktops and laptops were back into operation.
"So much of what happened those first few days is nearly entirely a haze for me, but my management will not forget the commitment all of you accomplished to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."
A likely enterprise-killing disaster was dodged due to top-tier professionals, a broad spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been disabled with up-to-date security technology solutions and recognized best practices, team training, and appropriate security procedures for data protection and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for allowing me to get some sleep after we got over the first week. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist