Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware has become an escalating cyberplague that represents an enterprise-level danger for businesses unprepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch and Egregor, as well as frequent unnamed newcomers, not only encrypt on-line data but also infiltrate all accessible system restores and backups. Information synched to cloud environments can also be corrupted. In a vulnerable environment, this can render automated recovery impossible and effectively knocks the entire system back to square one.
Getting back services and information following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop the spread and remove the virus and to resume enterprise-critical activity. Because crypto-ransomware requires time to spread, attacks are often sprung on weekends, when successful penetrations are likely to take more time to detect. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.
Progent provides a range of help services for protecting Corpus Christi businesses from ransomware events. These include user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI capabilities to rapidly discover and extinguish zero-day cyber threats. Progent also can provide the assistance of veteran ransomware recovery consultants with the talent and commitment to restore a breached system as rapidly as possible.
Progent's Crypto-Ransomware Recovery Services
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decrypt any of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimated to be around $13,000 for smaller organizations. The fallback is to setup from scratch the key components of your IT environment. Absent the availability of essential system backups, this calls for a broad range of skill sets, professional project management, and the willingness to work non-stop until the task is completed.
For twenty years, Progent has offered certified expert IT services for companies across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of expertise gives Progent the capability to efficiently identify important systems and organize the surviving pieces of your IT system following a ransomware event and configure them into a functioning network.
Progent's recovery group uses state-of-the-art project management applications to coordinate the complex recovery process. Progent appreciates the urgency of acting swiftly and in unison with a customerís management and Information Technology resources to prioritize tasks and to get key applications back on line as soon as possible.
Client Story: A Successful Ransomware Intrusion Response
A business contacted Progent after their company was taken over by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most lucrative versions of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.
"I canít say enough about the support Progent gave us during the most fearful time of (our) companyís life. We would have paid the cyber criminals if it wasnít for the confidence the Progent team gave us. The fact that you were able to get our messaging and important servers back into operation sooner than 1 week was beyond my wildest dreams. Each expert I interacted with or e-mailed at Progent was totally committed on getting my company operational and was working at all hours to bail us out."
Progent worked hand in hand the client to rapidly determine and assign priority to the mission critical applications that needed to be restored in order to continue company functions:
To get going, Progent adhered to AV/Malware Processes event response best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of rebuilding Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customerís accounting and MRP system utilized Microsoft SQL Server, which requires Windows AD for access to the information.
- Active Directory (AD)
- Microsoft Exchange Server
In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery of mission critical servers. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Offline Data Files) on staff desktop computers and laptops to recover mail information. A not too old offline backup of the businesses accounting software made it possible to restore these essential programs back online for users. Although significant work needed to be completed to recover completely from the Ryuk attack, critical services were returned to operations quickly:
"For the most part, the assembly line operation was never shut down and we produced all customer shipments."
Throughout the next few weeks key milestones in the restoration project were accomplished through close collaboration between Progent consultants and the customer:
- Self-hosted web sites were restored without losing any information.
- The MailStore Exchange Server with over 4 million historical messages was spun up and available for users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- 90% of the user workstations were back into operation.
"Much of what occurred that first week is nearly entirely a haze for me, but I will not forget the commitment all of you accomplished to give us our company back. I have trusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This event was a Herculean accomplishment."
A potential business-killing disaster was avoided due to top-tier professionals, a wide spectrum of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus attack detailed here would have been disabled with modern cyber security technology solutions and security best practices, team education, and well designed security procedures for data backup and applying software patches, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), Iím grateful for allowing me to get rested after we made it past the initial push. Everyone did an incredible job, and if anyone is in the Chicago area, dinner is on me!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist