Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses unprepared for an assault. Different iterations of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as more as yet unnamed viruses, not only encrypt on-line information but also infiltrate all configured system protection. Files synchronized to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can make automatic recovery useless and basically sets the datacenter back to square one.
Recovering programs and information following a ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement and clear the virus and to resume business-critical operations. Because ransomware takes time to move laterally, penetrations are frequently launched on weekends, when attacks tend to take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a knowledgeable mitigation team.
Progent provides a range of services for securing Chatsworth businesses from crypto-ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI capabilities to automatically discover and quarantine new threats. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to re-deploy a breached system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a crypto-ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the codes to decrypt all your files. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for small organizations. The other path is to piece back together the essential elements of your IT environment. Without the availability of complete information backups, this calls for a broad range of IT skills, professional team management, and the willingness to work 24x7 until the task is finished.
For decades, Progent has made available certified expert IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience provides Progent the skills to rapidly understand critical systems and integrate the surviving components of your computer network environment after a crypto-ransomware event and configure them into a functioning system.
Progent's recovery group utilizes best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to get key services back on line as soon as possible.
Case Study: A Successful Ransomware Attack Restoration
A business engaged Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly using approaches leaked from Americaís National Security Agency. Ryuk targets specific businesses with little or no ability to sustain disruption and is one of the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk event had shut down all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and praying for good luck, but ultimately brought in Progent.
"I canít tell you enough about the expertise Progent provided us during the most critical period of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent experts gave us. The fact that you could get our messaging and important servers back on-line sooner than five days was something I thought impossible. Every single person I worked with or messaged at Progent was totally committed on getting us back online and was working 24 by 7 on our behalf."
Progent worked together with the client to rapidly assess and prioritize the critical elements that had to be addressed to make it possible to continue company functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and performing virus removal steps. Progent then began the work of recovering Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí MRP applications leveraged Microsoft SQL, which requires Active Directory services for authentication to the databases.
- Microsoft Active Directory
- Microsoft Exchange
Within 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of critical servers. All Exchange data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on user workstations and laptops to recover email data. A recent offline backup of the client's accounting/ERP systems made it possible to recover these required programs back available to users. Although major work remained to recover completely from the Ryuk attack, core services were recovered quickly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer sales."
During the following few weeks critical milestones in the restoration project were made through tight collaboration between Progent engineers and the client:
- In-house web sites were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
- CRM/Orders/Invoices/AP/AR/Inventory modules were fully operational.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Nearly all of the user workstations were being used by staff.
"Much of what occurred in the initial days is mostly a blur for me, but we will not forget the care each of your team put in to help get our business back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."
A likely business-ending catastrophe was avoided by results-oriented professionals, a broad spectrum of IT skills, and tight collaboration. Although in post mortem the ransomware virus penetration described here should have been shut down with modern cyber security solutions and recognized best practices, staff education, and properly executed incident response procedures for information protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for letting me get rested after we got past the initial fire. All of you did an amazing job, and if anyone is visiting the Chicago area, dinner is on me!"
Download the Crypto-Ransomware Cleanup Case Study Datasheet
To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Consulting Services in Chatsworth
For ransomware recovery consulting in the Chatsworth metro area, call Progent at 800-462-8800 or visit Contact Progent.