Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for organizations unprepared for an attack. Different iterations of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, plus more as yet unnamed newcomers, not only do encryption of on-line data files but also infect all configured system restores and backups. Files replicated to cloud environments can also be rendered useless. In a vulnerable environment, this can make automatic recovery useless and effectively knocks the entire system back to zero.
Getting back online programs and information after a crypto-ransomware intrusion becomes a sprint against time as the targeted business struggles to stop lateral movement and clear the ransomware and to restore mission-critical activity. Because ransomware needs time to spread, penetrations are usually sprung at night, when penetrations tend to take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a knowledgeable response team.
Progent makes available a variety of solutions for securing Broomfield organizations from crypto-ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with AI technology to intelligently identify and quarantine day-zero cyber attacks. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the skills and commitment to restore a compromised system as quickly as possible.
Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to unencrypt any of your information. Kaspersky ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller organizations. The fallback is to piece back together the mission-critical parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad complement of IT skills, top notch team management, and the ability to work 24x7 until the task is finished.
For two decades, Progent has offered expert IT services for businesses throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the ability to knowledgably ascertain necessary systems and organize the remaining parts of your computer network environment after a crypto-ransomware event and rebuild them into a functioning system.
Progent's ransomware team deploys state-of-the-art project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in concert with a customerís management and IT team members to prioritize tasks and to put critical systems back on-line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, suspected of adopting algorithms leaked from the United States National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable examples of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for the best, but ultimately engaged Progent.
"I cannot speak enough about the expertise Progent provided us throughout the most stressful time of (our) companyís life. We may have had to pay the cyber criminals except for the confidence the Progent team provided us. That you could get our e-mail and critical servers back online sooner than five days was something I thought impossible. Each expert I spoke to or messaged at Progent was urgently focused on getting us back on-line and was working day and night to bail us out."
Progent worked together with the customer to rapidly understand and prioritize the most important services that had to be addressed in order to restart departmental operations:
To start, Progent followed ransomware event mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the work of recovering Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for security authorization to the data.
- Active Directory (AD)
- MRP System
In less than 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then initiated rebuilding and storage recovery of mission critical applications. All Microsoft Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team desktop computers in order to recover mail messages. A not too old off-line backup of the customerís accounting/ERP systems made them able to restore these required applications back on-line. Although significant work remained to recover completely from the Ryuk event, core systems were restored quickly:
"For the most part, the production manufacturing operation did not miss a beat and we produced all customer deliverables."
Throughout the following couple of weeks critical milestones in the restoration process were made through tight cooperation between Progent consultants and the customer:
- In-house web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million historical messages was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory modules were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was set up.
- Ninety percent of the user workstations were operational.
"A lot of what occurred during the initial response is nearly entirely a fog for me, but we will not forget the urgency all of you put in to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This situation was a life saver."
A possible business-killing catastrophe was evaded by hard-working experts, a wide range of IT skills, and close teamwork. Although upon completion of forensics the ransomware virus incident described here would have been blocked with modern cyber security solutions and recognized best practices, user training, and appropriate incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, removal, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for letting me get some sleep after we got past the most critical parts. All of you did an impressive effort, and if any of your team is in the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist