Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of crypto-ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as frequent unnamed newcomers, not only do encryption of online information but also infect any accessible system backups. Data synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, this can render automatic restore operations useless and effectively sets the entire system back to zero.
Recovering applications and data after a crypto-ransomware outage becomes a sprint against time as the victim struggles to contain the damage and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, attacks are frequently launched at night, when successful attacks tend to take more time to detect. This compounds the difficulty of rapidly mobilizing and coordinating an experienced response team.
Progent offers an assortment of services for protecting Brooklyn businesses from ransomware attacks. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat protection to identify and extinguish zero-day malware assaults. Progent in addition can provide the services of experienced crypto-ransomware recovery consultants with the skills and commitment to re-deploy a compromised system as soon as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will provide the needed keys to decipher any of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The fallback is to piece back together the essential elements of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work continuously until the task is completed.
For decades, Progent has made available expert Information Technology services for companies throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience affords Progent the skills to rapidly ascertain important systems and integrate the surviving parts of your computer network system after a ransomware penetration and rebuild them into an operational system.
Progent's recovery team deploys top notch project management systems to coordinate the sophisticated recovery process. Progent understands the urgency of working quickly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to get key applications back on line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state hackers, possibly using approaches exposed from the U.S. National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is one of the most lucrative instances of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has around 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately engaged Progent.
"I cannot speak enough about the care Progent provided us during the most stressful period of (our) company's existence. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent group afforded us. That you could get our e-mail system and critical applications back on-line sooner than one week was amazing. Every single person I spoke to or texted at Progent was totally committed on getting us restored and was working at all hours to bail us out."
Progent worked together with the customer to rapidly determine and prioritize the most important services that had to be restored in order to continue departmental functions:
To start, Progent adhered to Anti-virus event mitigation industry best practices by stopping the spread and clearing infected systems. Progent then started the task of recovering Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not operate without Active Directory, and the businesses' accounting and MRP system utilized Microsoft SQL Server, which depends on Active Directory services for security authorization to the data.
- Microsoft Active Directory
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery on the most important systems. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Folder Files) on team workstations in order to recover email messages. A not too old offline backup of the client's financials/ERP systems made it possible to return these vital programs back online for users. Although significant work still had to be done to recover fully from the Ryuk event, essential services were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer shipments."
Throughout the following month critical milestones in the recovery process were made in tight cooperation between Progent consultants and the customer:
- In-house web sites were brought back up without losing any data.
- The MailStore Server exceeding 4 million archived emails was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was brought online.
- Nearly all of the desktop computers were being used by staff.
"A huge amount of what occurred those first few days is mostly a blur for me, but my team will not soon forget the urgency each of your team put in to help get our company back. I have been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This situation was the most impressive ever."
A possible company-ending disaster was dodged with top-tier professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident detailed here should have been prevented with current security technology solutions and best practices, user and IT administrator education, and properly executed security procedures for data protection and applying software patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and file restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get some sleep after we made it over the first week. Everyone did an amazing job, and if any of your team is in the Chicago area, a great meal is on me!"
Download the Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Services in Brooklyn
For ransomware system restoration consulting services in the Brooklyn area, call Progent at 800-462-8800 or see Contact Progent.