Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware has become an escalating cyber pandemic that represents an extinction-level threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause destruction. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Nephilim, along with frequent as yet unnamed viruses, not only do encryption of on-line files but also infect most configured system restores and backups. Data synchronized to the cloud can also be ransomed. In a poorly designed system, it can make any recovery impossible and basically knocks the network back to zero.
Restoring programs and information after a crypto-ransomware event becomes a race against time as the targeted organization fights to stop the spread and clear the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware needs time to spread, assaults are usually sprung at night, when successful penetrations typically take more time to identify. This compounds the difficulty of rapidly assembling and organizing a capable mitigation team.
Progent makes available a variety of help services for securing Broomfield enterprises from crypto-ransomware attacks. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with artificial intelligence capabilities to intelligently discover and suppress day-zero cyber threats. Progent in addition can provide the services of seasoned crypto-ransomware recovery engineers with the skills and commitment to restore a breached system as rapidly as possible.
Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed codes to decipher any of your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to piece back together the vital parts of your IT environment. Absent the availability of essential data backups, this calls for a wide range of IT skills, professional team management, and the ability to work continuously until the task is finished.
For twenty years, Progent has made available certified expert Information Technology services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to efficiently understand important systems and organize the remaining parts of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.
Progent's security team utilizes powerful project management applications to coordinate the sophisticated restoration process. Progent knows the importance of working rapidly and together with a customerís management and Information Technology team members to assign priority to tasks and to get key services back online as fast as possible.
Customer Case Study: A Successful Ransomware Penetration Response
A client escalated to Progent after their network system was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean government sponsored cybercriminals, possibly adopting approaches leaked from Americaís National Security Agency. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most lucrative iterations of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago with about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but in the end called Progent.
"I cannot tell you enough in regards to the help Progent provided us throughout the most stressful period of (our) companyís existence. We most likely would have paid the criminal gangs except for the confidence the Progent team gave us. The fact that you could get our messaging and key servers back in less than five days was amazing. Every single staff member I spoke to or texted at Progent was totally committed on getting us back on-line and was working all day and night to bail us out."
Progent worked together with the customer to quickly identify and assign priority to the essential areas that had to be addressed in order to resume departmental operations:
To start, Progent adhered to ransomware event response industry best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of rebuilding Windows Active Directory, the key technology of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the customerís accounting and MRP software used Microsoft SQL Server, which requires Windows AD for authentication to the databases.
- Windows Active Directory
- MRP System
In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of the most important systems. All Exchange data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on various PCs and laptops to recover email data. A recent offline backup of the customerís financials/ERP software made it possible to recover these required services back on-line. Although a large amount of work remained to recover fully from the Ryuk event, core systems were returned to operations quickly:
"For the most part, the assembly line operation never missed a beat and we made all customer deliverables."
Over the next month key milestones in the recovery project were accomplished in tight collaboration between Progent consultants and the client:
- In-house web applications were restored with no loss of data.
- The MailStore Server with over 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were fully functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Nearly all of the desktops and laptops were back into operation.
"Much of what went on those first few days is mostly a blur for me, but my team will not soon forget the urgency all of you accomplished to give us our business back. I have utilized Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This event was a testament to your capabilities."
A possible company-ending catastrophe was dodged with hard-working professionals, a wide array of IT skills, and close collaboration. Although in retrospect the crypto-ransomware incident described here would have been disabled with advanced security technology and security best practices, user and IT administrator training, and well designed security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we got through the initial push. All of you did an amazing effort, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist