Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware like the Reveton, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still inflict harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, plus more as yet unnamed malware, not only encrypt online information but also infiltrate all accessible system restores and backups. Data synchronized to cloud environments can also be rendered useless. In a vulnerable data protection solution, it can render automated recovery useless and basically sets the entire system back to zero.
Getting back services and information following a ransomware outage becomes a sprint against time as the targeted organization struggles to contain the damage and cleanup the crypto-ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently launched at night, when successful attacks typically take more time to uncover. This compounds the difficulty of quickly mobilizing and organizing a qualified response team.
Progent offers a variety of services for securing Buffalo businesses from ransomware events. These include staff education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence technology to quickly identify and quarantine new cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to reconstruct a compromised environment as soon as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to unencrypt any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The other path is to setup from scratch the vital elements of your IT environment. Without access to essential data backups, this calls for a broad complement of skill sets, top notch team management, and the ability to work 24x7 until the task is done.
For two decades, Progent has offered expert IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience affords Progent the ability to efficiently understand necessary systems and organize the remaining pieces of your computer network system following a ransomware event and configure them into an operational network.
Progent's ransomware group has powerful project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and IT resources to prioritize tasks and to put critical systems back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Attack Response
A customer engaged Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting approaches leaked from the United States National Security Agency. Ryuk goes after specific businesses with limited room for disruption and is one of the most profitable examples of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has about 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200K) and hoping for good luck, but ultimately utilized Progent.
"I canít thank you enough about the help Progent provided us throughout the most fearful period of (our) businesses survival. We would have paid the Hackers if not for the confidence the Progent group afforded us. That you could get our messaging and critical applications back on-line sooner than a week was amazing. Every single expert I got help from or communicated with at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."
Progent worked hand in hand the customer to quickly understand and assign priority to the key services that had to be addressed to make it possible to continue company functions:
To begin, Progent followed AV/Malware Processes incident response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the work of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the customerís financials and MRP applications used SQL Server, which depends on Active Directory services for security authorization to the database.
- Windows Active Directory
- Exchange Server
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on mission critical systems. All Microsoft Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Folder Files) on various workstations in order to recover mail information. A recent off-line backup of the businesses accounting software made them able to return these vital services back on-line. Although a large amount of work still had to be done to recover totally from the Ryuk virus, core services were restored rapidly:
"For the most part, the production line operation did not miss a beat and we made all customer shipments."
Over the next month critical milestones in the recovery project were accomplished through tight cooperation between Progent engineers and the client:
- Internal web sites were returned to operation with no loss of information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory functions were 100 percent functional.
- A new Palo Alto 850 security appliance was set up.
- Ninety percent of the user workstations were back into operation.
"A huge amount of what transpired that first week is nearly entirely a blur for me, but we will not soon forget the urgency all of your team accomplished to give us our business back. Iíve been working together with Progent for the past 10 years, maybe more, and every time Progent has come through and delivered. This time was a testament to your capabilities."
A probable company-ending catastrophe was evaded by top-tier experts, a wide range of IT skills, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here would have been prevented with modern cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and file restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for letting me get some sleep after we got past the initial fire. All of you did an impressive effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist