Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that represents an enterprise-level danger for businesses unprepared for an attack. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Egregor, as well as frequent as yet unnamed newcomers, not only encrypt online critical data but also infect many available system protection. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render any recovery impossible and effectively sets the datacenter back to zero.
Restoring applications and data following a crypto-ransomware outage becomes a race against time as the targeted organization tries its best to contain and remove the ransomware and to resume enterprise-critical activity. Because ransomware needs time to move laterally, attacks are usually launched at night, when attacks typically take longer to uncover. This multiplies the difficulty of promptly mobilizing and orchestrating a qualified response team.
Progent offers an assortment of support services for securing Chatsworth businesses from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to identify and disable day-zero modern malware attacks. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised network as quickly as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will provide the keys to unencrypt any of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The alternative is to re-install the essential components of your IT environment. Absent access to full data backups, this requires a broad complement of skill sets, professional team management, and the ability to work continuously until the job is done.
For two decades, Progent has made available expert Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to quickly understand critical systems and organize the remaining components of your computer network system following a crypto-ransomware event and assemble them into an operational network.
Progent's recovery team of experts uses state-of-the-art project management tools to orchestrate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a customer's management and IT resources to prioritize tasks and to get essential services back on-line as fast as humanly possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A client contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state cybercriminals, possibly using techniques leaked from the U.S. NSA organization. Ryuk goes after specific businesses with little ability to sustain operational disruption and is among the most profitable examples of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago with about 500 workers. The Ryuk attack had disabled all business operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end made the decision to use Progent.
"I can't say enough in regards to the support Progent provided us throughout the most critical time of (our) businesses survival. We had little choice but to pay the Hackers if not for the confidence the Progent group provided us. That you were able to get our messaging and key applications back faster than 1 week was beyond my wildest dreams. Each consultant I worked with or messaged at Progent was absolutely committed on getting our system up and was working 24 by 7 on our behalf."
Progent worked hand in hand the customer to rapidly determine and prioritize the mission critical areas that had to be restored to make it possible to resume business functions:
To get going, Progent followed AV/Malware Processes incident response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the process of rebuilding Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the customer's financials and MRP applications utilized Microsoft SQL, which requires Windows AD for security authorization to the database.
- Active Directory
- Accounting and Manufacturing Software
In less than 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then initiated setup and hard drive recovery on critical applications. All Exchange schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Folder Files) on user PCs and laptops in order to recover mail information. A not too old off-line backup of the businesses manufacturing systems made it possible to restore these required programs back servicing users. Although major work needed to be completed to recover fully from the Ryuk event, critical services were returned to operations quickly:
"For the most part, the production line operation survived unscathed and we did not miss any customer sales."
During the next couple of weeks important milestones in the recovery project were achieved through close collaboration between Progent consultants and the customer:
- In-house web applications were returned to operation without losing any information.
- The MailStore Exchange Server with over four million historical messages was spun up and accessible to users.
- CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
- A new Palo Alto 850 security appliance was brought online.
- Nearly all of the user desktops and notebooks were operational.
"A lot of what was accomplished in the initial days is nearly entirely a haze for me, but our team will not forget the countless hours each and every one of you put in to help get our company back. I have utilized Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This event was the most impressive ever."
A probable business disaster was evaded due to hard-working experts, a broad range of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus incident described here should have been blocked with current cyber security systems and best practices, staff training, and well thought out security procedures for backup and applying software patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get rested after we got through the initial push. All of you did an amazing effort, and if any of your guys is in the Chicago area, dinner is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Chatsworth
For ransomware cleanup expertise in the Chatsworth area, phone Progent at 800-462-8800 or go to Contact Progent.