Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations vulnerable to an attack. Multiple generations of ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and still cause harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with additional unnamed newcomers, not only encrypt online files but also infiltrate most available system backups. Data replicated to cloud environments can also be rendered useless. In a poorly architected environment, it can render automatic restoration useless and basically knocks the entire system back to square one.
Retrieving services and data following a ransomware event becomes a sprint against the clock as the targeted organization fights to contain and cleanup the crypto-ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are usually launched on weekends and holidays, when attacks tend to take longer to identify. This multiplies the difficulty of rapidly assembling and orchestrating a capable response team.
Progent provides a range of help services for protecting Cleveland businesses from ransomware events. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with artificial intelligence technology to intelligently detect and extinguish day-zero threats. Progent also offers the assistance of experienced ransomware recovery consultants with the skills and commitment to rebuild a compromised system as urgently as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom in cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt any of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to setup from scratch the critical parts of your Information Technology environment. Absent access to full system backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is over.
For twenty years, Progent has made available certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience provides Progent the ability to knowledgably determine important systems and re-organize the remaining pieces of your IT system following a crypto-ransomware penetration and rebuild them into an operational system.
Progent's ransomware team has powerful project management systems to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and IT staff to assign priority to tasks and to put essential systems back online as soon as humanly possible.
Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client contacted Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state cybercriminals, possibly adopting approaches exposed from the United States National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is among the most lucrative versions of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end brought in Progent.
"I canít speak enough in regards to the expertise Progent gave us during the most fearful time of (our) businesses existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent team provided us. The fact that you could get our e-mail system and key applications back on-line in less than 1 week was amazing. Every single staff member I spoke to or e-mailed at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."
Progent worked together with the customer to rapidly determine and prioritize the mission critical areas that needed to be restored to make it possible to resume business operations:
To start, Progent adhered to ransomware event response industry best practices by isolating and disinfecting systems. Progent then initiated the steps of restoring Windows Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the customerís MRP system used Microsoft SQL Server, which requires Windows AD for access to the databases.
- Microsoft Active Directory
- Accounting and Manufacturing Software
Within 48 hours, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then accomplished setup and hard drive recovery on critical servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Offline Data Files) on user desktop computers and laptops in order to recover email information. A recent off-line backup of the businesses accounting/ERP systems made it possible to restore these essential applications back servicing users. Although significant work was left to recover fully from the Ryuk attack, critical systems were restored quickly:
"For the most part, the production operation showed little impact and we produced all customer sales."
During the next couple of weeks important milestones in the restoration project were completed in tight cooperation between Progent team members and the client:
- In-house web applications were brought back up with no loss of data.
- The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
- CRM/Product Ordering/Invoicing/AP/AR/Inventory Control functions were 100% restored.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Nearly all of the user PCs were functioning as before the incident.
"So much of what happened that first week is mostly a blur for me, but my team will not soon forget the urgency all of your team accomplished to help get our company back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered. This time was a stunning achievement."
A potential business extinction disaster was evaded due to hard-working professionals, a wide range of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware attack described here could have been blocked with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed security procedures for information backup and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, mitigation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we made it through the initial push. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Cleveland
For ransomware system restoration consulting in the Cleveland metro area, call Progent at 800-462-8800 or go to Contact Progent.