Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and still cause harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as daily unnamed viruses, not only do encryption of on-line files but also infect many accessible system protection mechanisms. Information synched to off-site disaster recovery sites can also be corrupted. In a vulnerable system, this can render any recovery useless and effectively knocks the entire system back to zero.
Recovering programs and information after a ransomware event becomes a race against time as the targeted organization tries its best to stop the spread and remove the virus and to resume business-critical operations. Since ransomware takes time to move laterally, assaults are frequently sprung at night, when successful attacks typically take longer to identify. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.
Progent provides an assortment of help services for securing Albuquerque enterprises from crypto-ransomware attacks. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based threat defense to detect and quarantine zero-day modern malware attacks. Progent also offers the services of seasoned ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as urgently as possible.
Progent's Ransomware Restoration Help
Subsequent to a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the codes to unencrypt any of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The other path is to setup from scratch the critical components of your Information Technology environment. Absent access to essential data backups, this requires a broad range of skill sets, well-coordinated team management, and the willingness to work continuously until the job is finished.
For decades, Progent has provided expert IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the ability to knowledgably understand necessary systems and consolidate the surviving pieces of your computer network system following a crypto-ransomware event and rebuild them into an operational system.
Progent's security group has powerful project management systems to orchestrate the complex restoration process. Progent understands the urgency of working swiftly and in unison with a client's management and Information Technology team members to prioritize tasks and to put critical applications back online as fast as humanly possible.
Customer Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their organization was crashed by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored hackers, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific companies with little or no tolerance for operational disruption and is one of the most profitable instances of ransomware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for good luck, but in the end called Progent.
"I can't thank you enough in regards to the support Progent provided us during the most critical period of (our) businesses life. We had little choice but to pay the cyber criminals if not for the confidence the Progent group provided us. The fact that you could get our messaging and critical servers back online faster than 1 week was incredible. Each expert I spoke to or texted at Progent was totally committed on getting us operational and was working 24/7 to bail us out."
Progent worked together with the customer to rapidly identify and assign priority to the key services that had to be restored to make it possible to restart business operations:
To start, Progent adhered to ransomware penetration mitigation best practices by stopping the spread and clearing infected systems. Progent then started the process of rebuilding Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the customer's MRP applications used Microsoft SQL, which needs Windows AD for access to the information.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with setup and hard drive recovery of needed systems. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Data Files) on team PCs to recover email messages. A not too old off-line backup of the businesses accounting/MRP software made it possible to recover these vital programs back on-line. Although a large amount of work was left to recover fully from the Ryuk damage, essential services were restored rapidly:
"For the most part, the assembly line operation did not miss a beat and we made all customer shipments."
Throughout the following couple of weeks important milestones in the restoration process were accomplished through tight collaboration between Progent team members and the customer:
- Internal web applications were restored with no loss of data.
- The MailStore Server exceeding four million archived messages was brought on-line and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely functional.
- A new Palo Alto Networks 850 firewall was deployed.
- Nearly all of the user PCs were fully operational.
"A huge amount of what was accomplished those first few days is mostly a blur for me, but our team will not forget the dedication each and every one of your team put in to give us our business back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was a stunning achievement."
A likely business-killing catastrophe was dodged with hard-working professionals, a wide array of IT skills, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here would have been blocked with current security technology solutions and best practices, user training, and well thought out incident response procedures for data protection and applying software patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, mitigation, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for letting me get rested after we made it over the most critical parts. All of you did an incredible job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Restoration Consulting in Albuquerque
For ransomware system restoration expertise in the Albuquerque area, phone Progent at 800-462-8800 or visit Contact Progent.