Crypto-Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that poses an enterprise-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to cause harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with additional as yet unnamed viruses, not only do encryption of on-line information but also infiltrate many available system protection. Data synchronized to cloud environments can also be encrypted. In a vulnerable environment, it can make any restoration useless and basically knocks the entire system back to square one.
Getting back programs and information after a ransomware attack becomes a race against the clock as the victim fights to stop lateral movement and clear the crypto-ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to spread, penetrations are usually launched on weekends and holidays, when attacks typically take longer to recognize. This compounds the difficulty of quickly mobilizing and organizing an experienced response team.
Progent makes available an assortment of solutions for protecting Porto Alegre enterprises from ransomware penetrations. These include staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with AI capabilities to automatically identify and quarantine new cyber threats. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the talent and commitment to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET estimated to be in the range of $13,000 for small organizations. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this calls for a wide range of skills, well-coordinated project management, and the willingness to work non-stop until the task is done.
For decades, Progent has made available professional Information Technology services for businesses across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly understand necessary systems and re-organize the surviving components of your computer network environment following a crypto-ransomware penetration and assemble them into a functioning system.
Progent's security team of experts uses best of breed project management systems to orchestrate the complicated recovery process. Progent understands the urgency of acting rapidly and in concert with a client's management and Information Technology team members to prioritize tasks and to get the most important services back on-line as fast as humanly possible.
Case Study: A Successful Ransomware Intrusion Response
A client hired Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored hackers, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk attacks specific companies with limited room for disruption and is one of the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's data backups had been online at the start of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end called Progent.
"I canít speak enough in regards to the care Progent gave us during the most fearful period of (our) businesses existence. We would have paid the cyber criminals if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail system and important applications back sooner than one week was beyond my wildest dreams. Every single expert I talked with or e-mailed at Progent was absolutely committed on getting our system up and was working 24/7 on our behalf."
Progent worked with the client to quickly determine and prioritize the mission critical systems that needed to be recovered to make it possible to continue company operations:
To begin, Progent adhered to ransomware incident response best practices by stopping the spread and performing virus removal steps. Progent then began the process of recovering Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the customerís accounting and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the databases.
- Active Directory (AD)
- Microsoft Exchange Email
- MRP System
In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of mission critical systems. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover mail messages. A not too old off-line backup of the customerís financials/ERP software made them able to recover these required programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, the most important systems were recovered rapidly:
"For the most part, the production operation showed little impact and we did not miss any customer deliverables."
Over the following few weeks important milestones in the recovery project were made through tight cooperation between Progent engineers and the customer:
- In-house web sites were restored without losing any information.
- The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
- CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
- A new Palo Alto Networks 850 firewall was installed.
- Nearly all of the desktop computers were functioning as before the incident.
"A huge amount of what went on those first few days is nearly entirely a blur for me, but I will not soon forget the dedication each of the team accomplished to give us our company back. I have entrusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a life saver."
A probable business-ending catastrophe was avoided through the efforts of dedicated experts, a wide spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware incident detailed here could have been stopped with modern cyber security systems and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for data backup and applying software patches, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus blocking, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got through the first week. Everyone did an impressive job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist