Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations poorly prepared for an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus daily as yet unnamed malware, not only do encryption of online data files but also infect many accessible system backup. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable system, this can render automated restoration useless and effectively sets the datacenter back to square one.
Restoring programs and information following a ransomware outage becomes a sprint against time as the targeted organization fights to stop the spread and eradicate the ransomware and to resume business-critical activity. Since ransomware takes time to replicate, assaults are often launched at night, when penetrations are likely to take longer to uncover. This multiplies the difficulty of promptly marshalling and orchestrating an experienced mitigation team.
Progent provides an assortment of solutions for protecting Springfield businesses from crypto-ransomware attacks. Among these are team training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security solutions with AI capabilities to quickly detect and extinguish new cyber attacks. Progent in addition offers the assistance of veteran crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
After a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt any or all of your information. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller businesses. The other path is to re-install the vital parts of your Information Technology environment. Absent the availability of complete system backups, this calls for a broad range of IT skills, professional project management, and the ability to work 24x7 until the recovery project is complete.
For decades, Progent has provided certified expert IT services for companies across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience provides Progent the skills to efficiently determine important systems and consolidate the surviving parts of your IT environment following a crypto-ransomware event and rebuild them into a functioning system.
Progent's security team of experts uses best of breed project management tools to coordinate the sophisticated recovery process. Progent understands the importance of working rapidly and together with a customerís management and Information Technology team members to prioritize tasks and to get essential services back on-line as fast as humanly possible.
Client Case Study: A Successful Ransomware Attack Response
A small business contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, suspected of using approaches exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited tolerance for disruption and is among the most lucrative instances of ransomware malware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's backups had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but ultimately made the decision to use Progent.
"I canít say enough about the support Progent gave us during the most critical time of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent team afforded us. The fact that you could get our e-mail and production applications back into operation sooner than one week was beyond my wildest dreams. Each consultant I worked with or communicated with at Progent was urgently focused on getting us working again and was working all day and night on our behalf."
Progent worked together with the customer to quickly identify and assign priority to the critical services that had to be recovered in order to restart company operations:
To start, Progent followed ransomware incident response industry best practices by halting the spread and cleaning systems of viruses. Progent then initiated the process of rebuilding Microsoft AD, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businessesí MRP system leveraged SQL Server, which needs Windows AD for security authorization to the information.
- Active Directory
- Electronic Messaging
- MRP System
In less than 48 hours, Progent was able to recover Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery on the most important applications. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Offline Folder Files) on staff workstations and laptops to recover email data. A recent offline backup of the client's manufacturing software made it possible to return these essential services back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk damage, the most important systems were recovered rapidly:
"For the most part, the production operation ran fairly normal throughout and we delivered all customer deliverables."
During the following month important milestones in the recovery project were accomplished through close collaboration between Progent team members and the customer:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server containing more than four million historical messages was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were 100% restored.
- A new Palo Alto Networks 850 security appliance was set up.
- Nearly all of the user desktops and notebooks were fully operational.
"So much of what went on that first week is mostly a haze for me, but I will not soon forget the care each of your team accomplished to give us our company back. Iíve entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."
A potential business-killing disaster was dodged with top-tier professionals, a wide spectrum of technical expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here should have been identified and prevented with advanced security solutions and best practices, staff education, and appropriate incident response procedures for information protection and proper patching controls, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and file recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got over the initial fire. All of you did an impressive effort, and if anyone is around the Chicago area, dinner is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist