Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyberplague that poses an existential danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as more as yet unnamed malware, not only do encryption of online data but also infect all configured system backups. Data synchronized to cloud environments can also be encrypted. In a vulnerable data protection solution, it can render automated restore operations hopeless and basically knocks the datacenter back to zero.
Getting back applications and information after a ransomware event becomes a race against time as the targeted organization tries its best to contain and eradicate the ransomware and to resume mission-critical operations. Since crypto-ransomware requires time to move laterally, assaults are usually launched on weekends and holidays, when successful penetrations typically take more time to detect. This multiplies the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent has an assortment of help services for protecting Springfield organizations from crypto-ransomware attacks. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's AI-based cyberthreat defense to identify and extinguish zero-day malware attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery consultants with the skills and perseverance to restore a breached system as quickly as possible.
Progent's Ransomware Restoration Help
After a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will provide the needed keys to decipher all your files. Kaspersky ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimated to be approximately $13,000 for small businesses. The other path is to setup from scratch the essential parts of your Information Technology environment. Absent access to essential data backups, this calls for a broad range of skills, professional team management, and the ability to work 24x7 until the recovery project is finished.
For two decades, Progent has made available professional IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently determine important systems and organize the remaining parts of your Information Technology system after a ransomware penetration and rebuild them into a functioning system.
Progent's ransomware group utilizes top notch project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of working swiftly and together with a customer's management and IT staff to prioritize tasks and to put critical services back on line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Virus Recovery
A small business engaged Progent after their network system was attacked by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, possibly adopting technology leaked from America's NSA organization. Ryuk seeks specific companies with little tolerance for disruption and is among the most lucrative incarnations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 workers. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but ultimately brought in Progent.
"I can't speak enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group gave us. That you could get our e-mail system and critical applications back online in less than 1 week was something I thought impossible. Every single expert I talked with or messaged at Progent was urgently focused on getting us back online and was working 24/7 on our behalf."
Progent worked hand in hand the customer to rapidly identify and prioritize the critical systems that had to be recovered in order to restart departmental functions:
To begin, Progent adhered to ransomware penetration response best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Exchange email will not function without Windows AD, and the customer's accounting and MRP applications utilized Microsoft SQL, which needs Active Directory for security authorization to the databases.
- Microsoft Active Directory
- Microsoft Exchange Email
In less than two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery on mission critical servers. All Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers in order to recover mail messages. A not too old off-line backup of the businesses financials/MRP software made them able to restore these essential programs back online. Although major work needed to be completed to recover totally from the Ryuk virus, the most important services were recovered quickly:
"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."
During the next month important milestones in the restoration project were made in tight collaboration between Progent consultants and the customer:
- In-house web sites were brought back up with no loss of information.
- The MailStore Microsoft Exchange Server with over 4 million historical messages was restored to operations and accessible to users.
- CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent recovered.
- A new Palo Alto 850 firewall was brought online.
- Nearly all of the desktop computers were fully operational.
"A huge amount of what occurred those first few days is nearly entirely a haze for me, but my management will not soon forget the care each of you put in to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."
A probable business extinction disaster was dodged by results-oriented professionals, a broad array of knowledge, and close collaboration. Although in retrospect the crypto-ransomware virus penetration detailed here would have been prevented with current security solutions and ISO/IEC 27001 best practices, team training, and appropriate security procedures for backup and proper patching controls, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an impressive job, and if any of your guys is visiting the Chicago area, dinner is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Springfield
For ransomware system restoration consulting in the Springfield metro area, call Progent at 800-462-8800 or go to Contact Progent.