Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses unprepared for an attack. Multiple generations of ransomware like the Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as daily unnamed newcomers, not only encrypt on-line data but also infect any accessible system protection. Files synchronized to cloud environments can also be corrupted. In a poorly architected system, it can make automatic restoration hopeless and basically knocks the network back to square one.
Getting back on-line programs and data following a ransomware event becomes a sprint against the clock as the victim fights to stop the spread and clear the ransomware and to restore mission-critical activity. Because ransomware requires time to move laterally, penetrations are often sprung on weekends and holidays, when penetrations typically take more time to uncover. This compounds the difficulty of promptly marshalling and orchestrating a capable mitigation team.
Progent offers an assortment of help services for protecting Charleston enterprises from ransomware penetrations. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for endpoint detection and response using SentinelOne's AI-based cyberthreat defense to identify and quarantine zero-day modern malware assaults. Progent also provides the assistance of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a breached system as urgently as possible.
Progent's Ransomware Restoration Support Services
After a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the keys to decrypt any or all of your information. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to re-install the vital parts of your Information Technology environment. Without the availability of complete system backups, this calls for a broad range of skill sets, well-coordinated team management, and the capability to work 24x7 until the task is over.
For decades, Progent has made available certified expert IT services for businesses across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise provides Progent the capability to knowledgably determine important systems and consolidate the surviving pieces of your network environment after a crypto-ransomware penetration and rebuild them into an operational system.
Progent's ransomware group uses best of breed project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of working quickly and together with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Virus Restoration
A small business engaged Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state hackers, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with limited tolerance for operational disruption and is among the most lucrative examples of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.
"I can't tell you enough in regards to the help Progent provided us during the most fearful time of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent group provided us. That you could get our e-mail system and production servers back on-line sooner than a week was earth shattering. Each person I spoke to or communicated with at Progent was amazingly focused on getting us back online and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly get our arms around and prioritize the most important services that had to be restored in order to continue departmental operations:
To start, Progent adhered to AV/Malware Processes event response best practices by stopping the spread and removing active viruses. Progent then began the work of restoring Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the businesses' financials and MRP applications utilized Microsoft SQL Server, which requires Active Directory services for access to the database.
- Microsoft Active Directory
- Microsoft Exchange Email
- MRP System
Within 2 days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed rebuilding and hard drive recovery on needed servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops in order to recover mail data. A not too old offline backup of the customer's manufacturing systems made them able to recover these essential programs back servicing users. Although significant work still had to be done to recover totally from the Ryuk attack, the most important services were returned to operations rapidly:
"For the most part, the production manufacturing operation survived unscathed and we made all customer shipments."
Throughout the following month critical milestones in the restoration process were accomplished through close cooperation between Progent consultants and the client:
- In-house web sites were brought back up with no loss of information.
- The MailStore Exchange Server exceeding 4 million archived messages was restored to operations and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were 100% recovered.
- A new Palo Alto 850 security appliance was set up and programmed.
- Ninety percent of the user desktops were back into operation.
"So much of what occurred in the initial days is nearly entirely a blur for me, but we will not soon forget the dedication each and every one of the team accomplished to help get our business back. I've utilized Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This situation was a life saver."
A likely enterprise-killing catastrophe was avoided through the efforts of top-tier professionals, a wide range of subject matter expertise, and tight collaboration. Although in hindsight the ransomware attack described here could have been shut down with modern cyber security systems and security best practices, user and IT administrator training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for letting me get some sleep after we got through the initial push. All of you did an impressive effort, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Charleston
For ransomware recovery expertise in the Charleston area, phone Progent at 800-462-8800 or see Contact Progent.