Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an extinction-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause damage. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus additional unnamed newcomers, not only do encryption of on-line files but also infiltrate any accessible system protection mechanisms. Data replicated to the cloud can also be corrupted. In a poorly architected data protection solution, it can make automatic restore operations useless and basically knocks the network back to square one.
Getting back online applications and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop lateral movement and clear the ransomware and to restore enterprise-critical activity. Because crypto-ransomware requires time to spread, penetrations are usually sprung on weekends and holidays, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of quickly assembling and organizing an experienced mitigation team.
Progent offers a range of support services for securing Cambridge businesses from ransomware penetrations. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) utilizing SentinelOne's behavior-based cyberthreat defense to identify and quarantine day-zero malware assaults. Progent also can provide the services of veteran crypto-ransomware recovery consultants with the track record and commitment to re-deploy a compromised environment as rapidly as possible.
Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The other path is to re-install the critical elements of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide range of skill sets, well-coordinated team management, and the ability to work 24x7 until the recovery project is finished.
For twenty years, Progent has made available certified expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience affords Progent the ability to rapidly understand necessary systems and re-organize the remaining components of your IT system after a crypto-ransomware attack and assemble them into a functioning network.
Progent's ransomware team utilizes state-of-the-art project management systems to coordinate the complex recovery process. Progent knows the urgency of working quickly and together with a client's management and IT team members to prioritize tasks and to put essential systems back on line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Penetration Recovery
A customer sought out Progent after their company was attacked by the Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, possibly using algorithms leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is among the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk intrusion had disabled all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately brought in Progent.
"I cannot speak enough in regards to the support Progent gave us throughout the most stressful period of (our) company's existence. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent experts gave us. The fact that you were able to get our messaging and production servers back online sooner than one week was earth shattering. Every single expert I got help from or communicated with at Progent was urgently focused on getting us working again and was working at all hours to bail us out."
Progent worked with the customer to quickly get our arms around and assign priority to the mission critical systems that needed to be recovered in order to continue departmental operations:
To get going, Progent followed AV/Malware Processes incident mitigation best practices by isolating and cleaning systems of viruses. Progent then initiated the process of rebuilding Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businesses' financials and MRP system leveraged SQL Server, which depends on Windows AD for access to the data.
- Active Directory
- MRP System
In less than two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and hard drive recovery of mission critical servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Data Files) on staff PCs and laptops in order to recover mail messages. A not too old off-line backup of the businesses accounting/MRP software made it possible to recover these required applications back online. Although a lot of work was left to recover fully from the Ryuk event, critical services were recovered rapidly:
"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."
Over the next month key milestones in the recovery project were accomplished through tight collaboration between Progent team members and the customer:
- Internal web applications were brought back up with no loss of data.
- The MailStore Exchange Server containing more than 4 million historical messages was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 security appliance was deployed.
- Most of the user PCs were back into operation.
"A huge amount of what occurred during the initial response is nearly entirely a blur for me, but I will not forget the care all of your team accomplished to give us our company back. I have trusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This situation was a life saver."
A probable company-ending catastrophe was dodged due to hard-working professionals, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware attack described here could have been identified and blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thanks very much for making it so I could get some sleep after we made it through the initial fire. Everyone did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Cambridge
For ransomware system recovery consulting in the Cambridge metro area, call Progent at 800-462-8800 or see Contact Progent.