Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an existential danger for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as additional unnamed viruses, not only do encryption of on-line information but also infiltrate many configured system restores and backups. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, this can make automated recovery hopeless and effectively sets the datacenter back to square one.
Restoring services and data after a crypto-ransomware outage becomes a sprint against time as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched during weekends and nights, when attacks are likely to take more time to notice. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent offers an assortment of solutions for securing Cambridge organizations from ransomware penetrations. These include team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's behavior-based threat defense to discover and suppress day-zero malware assaults. Progent in addition provides the assistance of seasoned ransomware recovery professionals with the track record and commitment to restore a breached system as soon as possible.
Progent's Crypto-Ransomware Restoration Help
After a ransomware attack, sending the ransom in cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to piece back together the vital parts of your IT environment. Absent access to complete information backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work 24x7 until the job is done.
For decades, Progent has offered expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand critical systems and consolidate the surviving pieces of your IT environment after a crypto-ransomware attack and rebuild them into an operational system.
Progent's recovery group has best of breed project management applications to orchestrate the complex restoration process. Progent knows the urgency of working quickly and in unison with a customer's management and IT resources to assign priority to tasks and to put key services back online as soon as humanly possible.
Business Case Study: A Successful Ransomware Intrusion Restoration
A small business escalated to Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state hackers, possibly using algorithms leaked from America's NSA organization. Ryuk seeks specific organizations with limited tolerance for operational disruption and is one of the most profitable examples of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 employees. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.
"I can't thank you enough in regards to the support Progent provided us throughout the most critical period of (our) company's survival. We may have had to pay the criminal gangs except for the confidence the Progent team gave us. The fact that you were able to get our messaging and key servers back on-line quicker than five days was earth shattering. Each consultant I interacted with or messaged at Progent was hell bent on getting my company operational and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly assess and assign priority to the most important services that had to be addressed to make it possible to restart departmental operations:
To begin, Progent adhered to ransomware incident mitigation best practices by stopping the spread and clearing infected systems. Progent then started the task of restoring Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businesses' accounting and MRP applications utilized Microsoft SQL, which requires Active Directory for security authorization to the information.
- Active Directory (AD)
- Microsoft Exchange Email
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on mission critical servers. All Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Folder Files) on various desktop computers to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made them able to return these required services back available to users. Although a lot of work was left to recover fully from the Ryuk attack, essential services were returned to operations rapidly:
"For the most part, the production line operation was never shut down and we made all customer orders."
During the following month key milestones in the recovery project were accomplished through tight cooperation between Progent engineers and the client:
- Self-hosted web applications were returned to operation without losing any data.
- The MailStore Exchange Server with over four million archived emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% recovered.
- A new Palo Alto Networks 850 firewall was brought online.
- Nearly all of the user PCs were fully operational.
"A huge amount of what happened that first week is nearly entirely a fog for me, but my team will not forget the dedication each and every one of you put in to help get our company back. I've been working together with Progent for the past ten years, possibly more, and every time Progent has come through and delivered as promised. This time was a life saver."
A probable business extinction catastrophe was dodged by results-oriented professionals, a wide array of subject matter expertise, and tight teamwork. Although in hindsight the ransomware incident detailed here should have been identified and blocked with up-to-date security systems and best practices, user and IT administrator training, and well thought out incident response procedures for data protection and applying software patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for making it so I could get some sleep after we got past the first week. All of you did an amazing job, and if any of your guys is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting in Cambridge
For ransomware system recovery services in the Cambridge area, phone Progent at 800-462-8800 or see Contact Progent.