Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations unprepared for an assault. Versions of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause destruction. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Nephilim, plus more unnamed malware, not only encrypt on-line information but also infiltrate many accessible system backup. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can make automated restoration useless and basically sets the datacenter back to zero.
Getting back on-line programs and information following a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop lateral movement and remove the ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to spread, penetrations are usually launched during nights and weekends, when penetrations typically take more time to discover. This compounds the difficulty of quickly assembling and organizing a qualified mitigation team.
Progent has a variety of solutions for protecting Cleveland businesses from crypto-ransomware attacks. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence capabilities to automatically discover and suppress new threats. Progent also can provide the assistance of veteran ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as rapidly as possible.
Progent's Crypto-Ransomware Recovery Support Services
Following a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the codes to decrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to re-install the critical parts of your Information Technology environment. Absent access to full information backups, this calls for a wide complement of skills, top notch team management, and the willingness to work continuously until the recovery project is completed.
For decades, Progent has made available certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly ascertain critical systems and re-organize the remaining parts of your network environment after a ransomware event and configure them into a functioning system.
Progent's security team utilizes powerful project management systems to coordinate the complicated recovery process. Progent understands the importance of acting quickly and in concert with a customer's management and IT staff to assign priority to tasks and to put the most important services back online as fast as possible.
Business Case Study: A Successful Ransomware Penetration Response
A business contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of using techniques leaked from the U.S. National Security Agency. Ryuk attacks specific companies with little or no room for disruption and is one of the most lucrative versions of ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all company operations and manufacturing capabilities. Most of the client's data protection had been online at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and praying for good luck, but in the end engaged Progent.
"I can't say enough about the help Progent gave us throughout the most stressful time of (our) company's life. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group provided us. That you could get our e-mail and critical applications back on-line quicker than five days was incredible. Every single expert I got help from or messaged at Progent was amazingly focused on getting us back online and was working at all hours on our behalf."
Progent worked hand in hand the customer to quickly determine and assign priority to the critical systems that had to be restored in order to resume company operations:
To get going, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and performing virus removal steps. Progent then started the task of restoring Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses' accounting and MRP system utilized Microsoft SQL Server, which requires Windows AD for access to the database.
- Microsoft Active Directory
- Microsoft Exchange Server
Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Offline Data Files) on user PCs in order to recover email information. A not too old off-line backup of the customer's accounting systems made them able to return these vital services back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk virus, critical services were restored rapidly:
"For the most part, the assembly line operation ran fairly normal throughout and we made all customer deliverables."
Over the following few weeks key milestones in the recovery process were completed in tight collaboration between Progent consultants and the customer:
- Self-hosted web sites were returned to operation without losing any information.
- The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent restored.
- A new Palo Alto Networks 850 firewall was installed.
- 90% of the desktop computers were operational.
"Much of what happened during the initial response is mostly a blur for me, but my management will not soon forget the commitment each of the team accomplished to help get our business back. I have trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This event was no exception but maybe more Herculean."
A potential business catastrophe was dodged through the efforts of dedicated experts, a broad spectrum of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware incident detailed here should have been stopped with current cyber security systems and security best practices, team training, and well thought out incident response procedures for backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we made it past the initial push. All of you did an incredible job, and if anyone is around the Chicago area, dinner is the least I can do!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Cleveland
For ransomware cleanup expertise in the Cleveland metro area, call Progent at 800-462-8800 or see Contact Progent.