Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become an escalating cyberplague that presents an enterprise-level danger for businesses unprepared for an attack. Different versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause damage. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus daily unnamed viruses, not only do encryption of on-line data but also infect most available system backup. Data synchronized to cloud environments can also be corrupted. In a poorly designed system, it can make automated restore operations impossible and effectively knocks the network back to zero.
Getting back services and data following a ransomware intrusion becomes a sprint against the clock as the targeted organization tries its best to contain and remove the virus and to restore enterprise-critical activity. Because ransomware takes time to spread, assaults are frequently sprung at night, when successful penetrations in many cases take longer to uncover. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.
Progent has a range of help services for protecting Cabo Frio organizations from ransomware events. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security gateways with AI capabilities to rapidly discover and quarantine new threats. Progent also offers the services of expert ransomware recovery professionals with the talent and perseverance to reconstruct a compromised network as quickly as possible.
Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed codes to decipher any of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to re-install the essential elements of your Information Technology environment. Absent access to essential information backups, this requires a wide complement of skills, professional team management, and the ability to work non-stop until the recovery project is finished.
For two decades, Progent has provided certified expert Information Technology services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience gives Progent the capability to rapidly identify critical systems and organize the surviving components of your computer network system following a crypto-ransomware event and configure them into a functioning system.
Progent's ransomware team uses best of breed project management tools to orchestrate the complicated restoration process. Progent understands the importance of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to put essential services back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Attack Response
A business sought out Progent after their company was taken over by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored criminal gangs, suspected of using technology exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited tolerance for disruption and is one of the most lucrative incarnations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were damaged. The client considered paying the ransom (in excess of $200,000) and hoping for the best, but in the end utilized Progent.
"I canít speak enough in regards to the support Progent provided us throughout the most fearful period of (our) businesses existence. We would have paid the criminal gangs if not for the confidence the Progent experts provided us. That you were able to get our e-mail and key applications back on-line quicker than 1 week was beyond my wildest dreams. Each expert I worked with or e-mailed at Progent was hell bent on getting my company operational and was working all day and night on our behalf."
Progent worked together with the customer to quickly assess and prioritize the critical areas that had to be addressed in order to resume company functions:
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by halting lateral movement and removing active viruses. Progent then initiated the steps of recovering Microsoft Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the customerís financials and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the databases.
- Active Directory (AD)
- Microsoft Exchange
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then completed setup and hard drive recovery on mission critical servers. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Off-Line Folder Files) on various workstations and laptops in order to recover mail data. A recent offline backup of the customerís accounting software made them able to recover these essential programs back servicing users. Although significant work needed to be completed to recover fully from the Ryuk attack, the most important systems were recovered rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer shipments."
Throughout the following couple of weeks critical milestones in the recovery project were completed in close collaboration between Progent engineers and the client:
- Internal web sites were restored with no loss of data.
- The MailStore Server containing more than four million archived messages was restored to operations and available for users.
- CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
- A new Palo Alto Networks 850 security appliance was deployed.
- Ninety percent of the desktops and laptops were functioning as before the incident.
"So much of what happened in the early hours is mostly a haze for me, but my management will not forget the countless hours each and every one of your team put in to help get our company back. I have utilized Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This situation was a stunning achievement."
A possible enterprise-killing catastrophe was avoided due to hard-working professionals, a wide array of knowledge, and close teamwork. Although in retrospect the ransomware penetration described here could have been prevented with current cyber security solutions and security best practices, user training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), Iím grateful for allowing me to get rested after we made it through the most critical parts. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Cabo Frio
For ransomware cleanup services in the Cabo Frio area, call Progent at 800-462-8800 or see Contact Progent.