Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware has become an escalating cyber pandemic that poses an extinction-level danger for organizations vulnerable to an attack. Different iterations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and continue to cause harm. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, as well as frequent as yet unnamed malware, not only do encryption of on-line information but also infect all available system restores and backups. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed environment, this can render automated restore operations useless and effectively sets the datacenter back to square one.
Restoring programs and data after a ransomware outage becomes a race against time as the targeted organization tries its best to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often sprung during weekends and nights, when successful attacks are likely to take more time to detect. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.
Progent has a range of solutions for securing Cambridge businesses from ransomware events. These include staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with AI technology to rapidly detect and disable day-zero threats. Progent in addition can provide the services of experienced crypto-ransomware recovery professionals with the skills and commitment to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the keys to decipher any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The fallback is to re-install the mission-critical components of your Information Technology environment. Without access to full information backups, this requires a wide complement of skills, professional team management, and the willingness to work 24x7 until the task is complete.
For decades, Progent has provided expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the ability to knowledgably ascertain important systems and organize the surviving pieces of your IT system after a crypto-ransomware event and rebuild them into an operational network.
Progent's recovery team utilizes best of breed project management systems to orchestrate the complex recovery process. Progent appreciates the urgency of working rapidly and together with a customerís management and Information Technology staff to assign priority to tasks and to put essential systems back online as soon as possible.
Customer Story: A Successful Crypto-Ransomware Intrusion Restoration
A customer escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk goes after specific companies with little room for disruption and is one of the most lucrative iterations of crypto-ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for the best, but in the end called Progent.
"I cannot say enough in regards to the support Progent gave us during the most stressful period of (our) companyís survival. We had little choice but to pay the cybercriminals except for the confidence the Progent group provided us. That you were able to get our e-mail and essential applications back on-line faster than 1 week was amazing. Every single person I got help from or communicated with at Progent was absolutely committed on getting us restored and was working breakneck pace to bail us out."
Progent worked together with the client to quickly determine and prioritize the mission critical elements that needed to be recovered in order to continue company functions:
To begin, Progent followed ransomware incident mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's MRP applications used Microsoft SQL, which needs Active Directory services for security authorization to the databases.
- Active Directory
Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then accomplished setup and storage recovery on essential servers. All Exchange data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers in order to recover mail information. A recent offline backup of the customerís manufacturing software made them able to return these required programs back available to users. Although major work was left to recover completely from the Ryuk attack, the most important systems were recovered quickly:
"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."
Throughout the next month critical milestones in the recovery project were completed through close collaboration between Progent consultants and the client:
- Internal web applications were restored without losing any information.
- The MailStore Server containing more than 4 million archived emails was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the user desktops were fully operational.
"So much of what transpired those first few days is mostly a fog for me, but my team will not soon forget the countless hours each of your team put in to give us our company back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was a life saver."
A probable business-killing disaster was averted by dedicated professionals, a broad array of knowledge, and close collaboration. Although in hindsight the ransomware incident detailed here could have been identified and stopped with advanced cyber security technology solutions and security best practices, user and IT administrator training, and appropriate security procedures for backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thank you for allowing me to get rested after we made it past the most critical parts. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist