Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still cause havoc. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, plus additional unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system restores and backups. Files synchronized to the cloud can also be encrypted. In a vulnerable environment, it can make automated restoration useless and basically knocks the entire system back to square one.
Getting back on-line programs and data following a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain and clear the ransomware and to restore business-critical operations. Because ransomware requires time to spread, attacks are usually sprung on weekends and holidays, when successful attacks tend to take more time to uncover. This compounds the difficulty of promptly mobilizing and coordinating a qualified response team.
Progent offers a range of support services for securing Cabo Frio businesses from ransomware penetrations. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with artificial intelligence capabilities to quickly identify and suppress day-zero threats. Progent also provides the services of expert ransomware recovery engineers with the skills and perseverance to rebuild a compromised system as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the codes to unencrypt any of your files. Kaspersky determined that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The other path is to piece back together the critical parts of your Information Technology environment. Without the availability of essential system backups, this requires a wide range of IT skills, well-coordinated team management, and the willingness to work non-stop until the task is completed.
For decades, Progent has made available professional IT services for companies throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience gives Progent the capability to rapidly determine important systems and integrate the surviving components of your network environment after a ransomware attack and rebuild them into a functioning network.
Progent's ransomware team of experts has top notch project management applications to orchestrate the complex restoration process. Progent knows the importance of acting swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put the most important services back on line as fast as possible.
Business Case Study: A Successful Ransomware Virus Response
A small business contacted Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from the United States NSA organization. Ryuk targets specific companies with limited tolerance for disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago with about 500 employees. The Ryuk event had disabled all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately utilized Progent.
"I canít speak enough about the support Progent provided us during the most stressful time of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team gave us. That you were able to get our e-mail and important applications back into operation sooner than seven days was beyond my wildest dreams. Each expert I spoke to or e-mailed at Progent was hell bent on getting us back online and was working 24/7 on our behalf."
Progent worked with the customer to quickly get our arms around and prioritize the essential services that had to be recovered to make it possible to resume business operations:
To get going, Progent followed Anti-virus penetration mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then initiated the work of restoring Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without Windows AD, and the businessesí accounting and MRP applications utilized Microsoft SQL, which needs Active Directory services for authentication to the data.
- Windows Active Directory
- MRP System
In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then completed setup and storage recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Offline Data Files) on user desktop computers in order to recover mail information. A not too old offline backup of the client's accounting/MRP systems made it possible to recover these vital applications back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk event, critical systems were restored rapidly:
"For the most part, the production line operation never missed a beat and we produced all customer deliverables."
Throughout the following few weeks critical milestones in the recovery project were completed through close cooperation between Progent consultants and the client:
- In-house web sites were restored with no loss of information.
- The MailStore Exchange Server with over 4 million archived emails was brought online and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were fully functional.
- A new Palo Alto 850 firewall was set up.
- Most of the user workstations were fully operational.
"A lot of what went on in the early hours is nearly entirely a fog for me, but my team will not forget the dedication all of you put in to give us our business back. I have been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
A likely enterprise-killing catastrophe was dodged through the efforts of hard-working professionals, a broad array of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware virus attack described here should have been shut down with modern cyber security systems and ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), Iím grateful for making it so I could get rested after we got over the first week. All of you did an incredible effort, and if any of your guys is around the Chicago area, a great meal is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist