Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware has become a modern cyberplague that represents an enterprise-level threat for organizations unprepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still inflict havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with daily as yet unnamed viruses, not only encrypt on-line files but also infiltrate many configured system protection mechanisms. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can render any restoration useless and basically sets the network back to zero.
Recovering applications and data after a ransomware outage becomes a race against the clock as the victim struggles to stop lateral movement and clear the ransomware and to resume enterprise-critical activity. Since crypto-ransomware takes time to replicate, attacks are often launched at night, when penetrations are likely to take more time to detect. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent provides a variety of services for protecting Bristol organizations from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology to intelligently discover and suppress new threats. Progent also provides the services of seasoned ransomware recovery professionals with the skills and commitment to re-deploy a compromised system as quickly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that merciless criminals will respond with the needed codes to decipher all your data. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The other path is to setup from scratch the vital components of your Information Technology environment. Absent access to complete system backups, this calls for a wide complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is done.
For two decades, Progent has offered professional IT services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise provides Progent the ability to knowledgably understand necessary systems and consolidate the surviving components of your IT system after a crypto-ransomware event and assemble them into an operational network.
Progent's ransomware group deploys best of breed project management tools to orchestrate the complicated recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to put essential services back on line as fast as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client hired Progent after their network was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, possibly using techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with limited room for disruption and is among the most profitable incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago with about 500 workers. The Ryuk penetration had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end engaged Progent.
"I cannot speak enough in regards to the help Progent provided us during the most fearful time of (our) companyís life. We would have paid the cyber criminals except for the confidence the Progent experts provided us. That you could get our messaging and important applications back on-line quicker than 1 week was earth shattering. Every single staff member I got help from or messaged at Progent was amazingly focused on getting our system up and was working 24/7 on our behalf."
Progent worked with the client to quickly understand and prioritize the most important areas that had to be addressed to make it possible to continue departmental operations:
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and removing active viruses. Progent then initiated the work of bringing back online Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businessesí financials and MRP system leveraged Microsoft SQL, which needs Active Directory for access to the data.
- Active Directory (AD)
- Electronic Mail
- MRP System
In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then charged ahead with setup and storage recovery on mission critical applications. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers to recover email information. A not too old offline backup of the customerís financials/ERP software made them able to recover these vital programs back on-line. Although major work remained to recover completely from the Ryuk attack, critical services were returned to operations rapidly:
"For the most part, the assembly line operation was never shut down and we made all customer orders."
Throughout the following couple of weeks important milestones in the recovery process were completed through tight collaboration between Progent engineers and the client:
- Self-hosted web applications were brought back up with no loss of data.
- The MailStore Exchange Server exceeding four million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
- A new Palo Alto 850 security appliance was installed and configured.
- 90% of the desktop computers were fully operational.
"So much of what occurred during the initial response is nearly entirely a blur for me, but we will not soon forget the urgency each of the team accomplished to help get our company back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A possible business-killing catastrophe was dodged due to dedicated professionals, a broad range of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware attack detailed here would have been identified and disabled with modern cyber security technology solutions and recognized best practices, user education, and well designed security procedures for information backup and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we made it past the most critical parts. Everyone did an amazing effort, and if anyone is around the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist