Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a modern cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an attack. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still cause harm. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, plus more unnamed newcomers, not only encrypt on-line information but also infect any configured system backup. Information replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can render automated restore operations useless and basically knocks the network back to square one.
Recovering applications and data following a ransomware event becomes a sprint against the clock as the targeted business fights to contain and eradicate the ransomware and to resume mission-critical activity. Because crypto-ransomware needs time to spread, attacks are frequently launched at night, when successful attacks may take more time to discover. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.
Progent offers a variety of services for protecting Chandler enterprises from ransomware attacks. These include staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with AI technology to quickly identify and suppress new cyber threats. Progent in addition offers the services of experienced ransomware recovery consultants with the talent and commitment to restore a compromised system as urgently as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to decipher any or all of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The fallback is to setup from scratch the vital elements of your IT environment. Without the availability of essential data backups, this requires a wide range of IT skills, top notch project management, and the willingness to work continuously until the task is finished.
For twenty years, Progent has offered expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the ability to knowledgably determine important systems and organize the surviving parts of your computer network system after a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's security team of experts utilizes best of breed project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to get the most important systems back on line as soon as possible.
Client Story: A Successful Ransomware Attack Recovery
A customer contacted Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly adopting techniques exposed from the U.S. NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is one of the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago and has about 500 employees. The Ryuk attack had paralyzed all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.
"I cannot speak enough about the support Progent provided us during the most critical time of (our) businesses survival. We would have paid the Hackers if it wasnít for the confidence the Progent experts provided us. The fact that you could get our e-mail and essential servers back faster than 1 week was incredible. Each expert I interacted with or communicated with at Progent was absolutely committed on getting our system up and was working all day and night to bail us out."
Progent worked hand in hand the customer to rapidly understand and prioritize the critical systems that needed to be addressed in order to resume company operations:
To start, Progent followed ransomware incident mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the steps of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customerís MRP software utilized Microsoft SQL, which requires Windows AD for authentication to the databases.
- Microsoft Active Directory
- Electronic Messaging
- MRP System
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed setup and hard drive recovery of mission critical servers. All Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Off-Line Data Files) on user PCs and laptops to recover mail messages. A recent offline backup of the client's financials/ERP systems made it possible to restore these required applications back servicing users. Although significant work still had to be done to recover fully from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the manufacturing operation showed little impact and we did not miss any customer orders."
Throughout the following month key milestones in the restoration process were completed in tight collaboration between Progent engineers and the client:
- Internal web sites were brought back up without losing any information.
- The MailStore Server with over 4 million archived emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were 100 percent functional.
- A new Palo Alto Networks 850 firewall was installed and configured.
- Ninety percent of the user workstations were fully operational.
"A huge amount of what happened in the initial days is nearly entirely a haze for me, but our team will not soon forget the countless hours each of your team put in to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This event was no exception but maybe more Herculean."
A probable enterprise-killing catastrophe was dodged due to top-tier professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the ransomware attack detailed here could have been identified and disabled with current security solutions and NIST Cybersecurity Framework best practices, staff education, and appropriate incident response procedures for information backup and proper patching controls, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus defense, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), Iím grateful for allowing me to get rested after we got through the initial fire. All of you did an fabulous job, and if any of your team is around the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist