Crypto-Ransomware : Your Crippling IT Disaster
Ransomware has become a modern cyberplague that presents an enterprise-level threat for organizations unprepared for an attack. Different iterations of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and still cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, along with frequent unnamed viruses, not only encrypt online data files but also infiltrate most available system backups. Information replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, this can make automated recovery impossible and effectively knocks the datacenter back to zero.
Retrieving programs and information after a ransomware attack becomes a sprint against the clock as the targeted business fights to stop the spread and clear the ransomware and to resume mission-critical activity. Because ransomware needs time to replicate, attacks are frequently launched during nights and weekends, when successful penetrations may take more time to recognize. This compounds the difficulty of quickly assembling and orchestrating an experienced mitigation team.
Progent offers a range of help services for protecting Clearwater organizations from ransomware penetrations. Among these are team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence technology to intelligently identify and disable zero-day threats. Progent in addition provides the services of experienced ransomware recovery consultants with the talent and perseverance to restore a compromised network as rapidly as possible.
Progent's Ransomware Recovery Help
Following a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the keys to decipher any or all of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The other path is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of essential system backups, this requires a broad complement of IT skills, professional team management, and the willingness to work non-stop until the recovery project is complete.
For twenty years, Progent has made available certified expert Information Technology services for businesses throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience gives Progent the skills to efficiently ascertain critical systems and consolidate the remaining parts of your IT system after a ransomware attack and rebuild them into an operational system.
Progent's recovery team of experts deploys state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to put critical services back on-line as fast as humanly possible.
Client Case Study: A Successful Ransomware Intrusion Recovery
A small business contacted Progent after their organization was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of using approaches exposed from the United States National Security Agency. Ryuk targets specific businesses with little or no room for disruption and is among the most profitable examples of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago with about 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the attack and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and praying for good luck, but in the end reached out to Progent.
"I canít speak enough in regards to the support Progent provided us during the most fearful period of (our) businesses life. We had little choice but to pay the cybercriminals if not for the confidence the Progent team afforded us. The fact that you could get our messaging and important servers back sooner than seven days was earth shattering. Every single expert I spoke to or messaged at Progent was laser focused on getting us restored and was working at all hours on our behalf."
Progent worked hand in hand the client to quickly determine and assign priority to the critical systems that had to be restored to make it possible to continue company functions:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and removing active viruses. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the customerís accounting and MRP software leveraged Microsoft SQL, which needs Active Directory for access to the data.
- Active Directory (AD)
- Electronic Messaging
In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of key applications. All Exchange ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Email Offline Folder Files) on team PCs in order to recover email information. A not too old offline backup of the client's financials/MRP systems made it possible to restore these essential applications back servicing users. Although a lot of work was left to recover totally from the Ryuk attack, critical services were recovered rapidly:
"For the most part, the manufacturing operation never missed a beat and we made all customer orders."
Throughout the following couple of weeks key milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the customer:
- In-house web sites were restored without losing any data.
- The MailStore Server exceeding 4 million historical messages was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory capabilities were fully recovered.
- A new Palo Alto 850 security appliance was set up.
- Nearly all of the desktop computers were being used by staff.
"A huge amount of what happened those first few days is mostly a fog for me, but we will not soon forget the commitment each and every one of the team put in to help get our company back. Iíve utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This event was a stunning achievement."
A probable enterprise-killing disaster was dodged with results-oriented professionals, a broad spectrum of IT skills, and close collaboration. Although upon completion of forensics the ransomware penetration described here would have been disabled with modern security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it over the initial push. Everyone did an impressive job, and if any of your guys is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist