Crypto-Ransomware : Your Feared IT Nightmare
Ransomware has become a modern cyberplague that poses an enterprise-level threat for organizations unprepared for an assault. Different versions of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, as well as daily unnamed malware, not only encrypt on-line files but also infiltrate most accessible system protection mechanisms. Files synchronized to cloud environments can also be corrupted. In a vulnerable environment, this can render automatic restore operations useless and basically sets the network back to zero.
Getting back on-line applications and data following a crypto-ransomware intrusion becomes a sprint against time as the targeted organization struggles to contain the damage and eradicate the ransomware and to restore enterprise-critical activity. Because crypto-ransomware takes time to replicate, penetrations are often sprung during nights and weekends, when successful attacks are likely to take longer to discover. This compounds the difficulty of quickly assembling and coordinating a qualified response team.
Progent makes available a range of support services for protecting Chatsworth businesses from ransomware attacks. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence capabilities to quickly identify and disable new cyber threats. Progent also provides the assistance of veteran ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as soon as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed keys to unencrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The fallback is to piece back together the key components of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the recovery project is finished.
For twenty years, Progent has offered expert IT services for businesses throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly ascertain critical systems and integrate the remaining components of your network system following a ransomware attack and configure them into a functioning system.
Progent's security group utilizes powerful project management tools to coordinate the complex restoration process. Progent knows the urgency of acting quickly and in concert with a customerís management and IT team members to assign priority to tasks and to get essential services back on-line as soon as humanly possible.
Customer Case Study: A Successful Ransomware Virus Response
A small business escalated to Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, possibly using strategies leaked from the United States NSA organization. Ryuk targets specific organizations with limited room for disruption and is among the most lucrative versions of crypto-ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. The majority of the client's system backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end utilized Progent.
"I canít thank you enough in regards to the care Progent gave us during the most critical period of (our) businesses existence. We may have had to pay the cybercriminals if not for the confidence the Progent group gave us. That you could get our e-mail system and important servers back on-line quicker than 1 week was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was urgently focused on getting my company operational and was working all day and night on our behalf."
Progent worked together with the client to rapidly assess and assign priority to the key applications that needed to be restored to make it possible to resume departmental operations:
To begin, Progent followed ransomware event response best practices by stopping the spread and disinfecting systems. Progent then began the work of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the client's financials and MRP system utilized Microsoft SQL Server, which needs Windows AD for authentication to the database.
- Windows Active Directory
- Accounting and Manufacturing Software
Within two days, Progent was able to restore Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery on needed servers. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover email messages. A recent off-line backup of the customerís financials/MRP software made them able to restore these essential programs back available to users. Although significant work remained to recover fully from the Ryuk event, essential systems were restored rapidly:
"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."
Over the next couple of weeks key milestones in the restoration project were completed through tight collaboration between Progent consultants and the customer:
- Self-hosted web applications were brought back up with no loss of information.
- The MailStore Server containing more than 4 million archived emails was restored to operations and available for users.
- CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully restored.
- A new Palo Alto Networks 850 firewall was installed.
- Most of the user workstations were back into operation.
"A lot of what was accomplished in the early hours is mostly a fog for me, but my management will not soon forget the urgency all of you accomplished to give us our company back. Iíve been working with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."
A likely business-killing disaster was averted through the efforts of hard-working professionals, a broad array of subject matter expertise, and close collaboration. Although in post mortem the ransomware incident detailed here would have been disabled with modern security technology and recognized best practices, user and IT administrator education, and appropriate security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, mitigation, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we got past the first week. All of you did an impressive job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist