Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes vulnerable to an assault. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed newcomers, not only do encryption of on-line data but also infect all configured system backups. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can make automatic recovery hopeless and effectively sets the datacenter back to zero.
Getting back applications and data following a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to contain and remove the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware requires time to spread, assaults are often launched on weekends, when penetrations in many cases take more time to discover. This compounds the difficulty of promptly marshalling and orchestrating an experienced response team.
Progent offers a range of support services for securing Albuquerque enterprises from crypto-ransomware penetrations. These include user training to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning technology to automatically identify and extinguish day-zero cyber attacks. Progent in addition provides the services of expert ransomware recovery consultants with the track record and perseverance to restore a breached environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Subsequent to a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to decipher any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000 for smaller organizations. The other path is to piece back together the vital elements of your IT environment. Absent the availability of full system backups, this calls for a wide range of IT skills, top notch project management, and the ability to work 24x7 until the job is done.
For two decades, Progent has provided certified expert IT services for companies throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience gives Progent the capability to quickly understand critical systems and re-organize the remaining parts of your IT environment following a ransomware attack and assemble them into an operational network.
Progent's security group has top notch project management tools to coordinate the complicated restoration process. Progent understands the importance of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get critical systems back on line as soon as possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business hired Progent after their network was attacked by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using strategies exposed from the U.S. NSA organization. Ryuk seeks specific companies with little or no tolerance for disruption and is among the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and hoping for the best, but in the end reached out to Progent.
"I can't tell you enough about the care Progent gave us during the most fearful time of (our) businesses existence. We most likely would have paid the cybercriminals except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical servers back into operation quicker than a week was earth shattering. Each expert I interacted with or communicated with at Progent was laser focused on getting my company operational and was working all day and night on our behalf."
Progent worked together with the customer to rapidly get our arms around and assign priority to the critical elements that had to be restored in order to restart departmental functions:
To begin, Progent adhered to AV/Malware Processes penetration response best practices by stopping the spread and clearing up compromised systems. Progent then began the task of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the client's financials and MRP software used SQL Server, which needs Windows AD for authentication to the data.
- Microsoft Active Directory
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed reinstallations and storage recovery on mission critical applications. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Offline Folder Files) on various workstations in order to recover mail messages. A recent off-line backup of the customer's financials/MRP software made them able to restore these required applications back available to users. Although a large amount of work remained to recover totally from the Ryuk damage, core systems were returned to operations rapidly:
"For the most part, the production line operation did not miss a beat and we made all customer orders."
During the following few weeks key milestones in the recovery process were achieved in tight collaboration between Progent team members and the customer:
- Internal web applications were brought back up without losing any data.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- 90% of the user workstations were functioning as before the incident.
"A huge amount of what occurred that first week is nearly entirely a fog for me, but I will not soon forget the dedication all of the team put in to give us our business back. I've been working with Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a life saver."
A possible enterprise-killing catastrophe was dodged with results-oriented professionals, a wide spectrum of knowledge, and close teamwork. Although in post mortem the ransomware penetration detailed here could have been identified and disabled with current cyber security systems and recognized best practices, user training, and properly executed security procedures for backup and proper patching controls, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, remediation, and file disaster recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get rested after we got past the initial fire. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Services in Albuquerque
For ransomware cleanup services in the Albuquerque metro area, phone Progent at 800-462-8800 or see Contact Progent.