Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyberplague that represents an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, as well as frequent unnamed viruses, not only do encryption of on-line critical data but also infiltrate most configured system protection. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can make automated recovery impossible and effectively sets the datacenter back to square one.
Getting back applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and eradicate the virus and to restore business-critical activity. Due to the fact that ransomware requires time to replicate, assaults are often launched during weekends and nights, when successful attacks in many cases take longer to recognize. This compounds the difficulty of rapidly assembling and coordinating a knowledgeable response team.
Progent makes available a variety of solutions for protecting Albuquerque businesses from ransomware penetrations. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence capabilities to automatically discover and quarantine new cyber threats. Progent in addition offers the services of veteran ransomware recovery professionals with the track record and perseverance to reconstruct a breached system as quickly as possible.
Progent's Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed codes to decipher any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The other path is to re-install the mission-critical parts of your Information Technology environment. Without access to full data backups, this calls for a wide complement of IT skills, professional team management, and the ability to work non-stop until the recovery project is over.
For two decades, Progent has offered certified expert IT services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience provides Progent the ability to quickly determine necessary systems and organize the remaining components of your IT system following a ransomware penetration and configure them into a functioning system.
Progent's security group deploys powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a client's management and Information Technology team members to prioritize tasks and to get essential systems back online as fast as possible.
Client Case Study: A Successful Crypto-Ransomware Incident Restoration
A customer hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk goes after specific businesses with limited tolerance for operational disruption and is one of the most lucrative instances of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately made the decision to use Progent.
"I cannot speak enough about the support Progent provided us throughout the most fearful period of (our) businesses existence. We would have paid the cybercriminals except for the confidence the Progent experts provided us. That you were able to get our e-mail and important applications back faster than one week was earth shattering. Every single staff member I worked with or messaged at Progent was urgently focused on getting us back online and was working breakneck pace to bail us out."
Progent worked with the customer to quickly determine and prioritize the key elements that needed to be recovered to make it possible to restart departmental functions:
To get going, Progent followed Anti-virus penetration response best practices by stopping lateral movement and removing active viruses. Progent then started the work of rebuilding Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businessesí MRP system leveraged Microsoft SQL, which requires Active Directory services for access to the data.
- Microsoft Active Directory
- MRP System
In less than two days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of critical applications. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover mail messages. A not too old off-line backup of the businesses accounting/ERP systems made them able to return these required applications back on-line. Although major work remained to recover completely from the Ryuk virus, essential services were restored rapidly:
"For the most part, the production line operation showed little impact and we did not miss any customer shipments."
During the next month important milestones in the restoration process were completed in close collaboration between Progent consultants and the client:
- In-house web applications were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million historical emails was spun up and accessible to users.
- CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were fully operational.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user desktops and notebooks were being used by staff.
"A lot of what transpired in the initial days is nearly entirely a fog for me, but we will not forget the urgency each and every one of the team accomplished to give us our company back. Iíve utilized Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a testament to your capabilities."
A likely business disaster was dodged by results-oriented experts, a broad spectrum of subject matter expertise, and tight collaboration. Although in hindsight the ransomware virus incident described here should have been prevented with current cyber security systems and ISO/IEC 27001 best practices, staff training, and properly executed security procedures for backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, removal, and data recovery.
"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we made it over the initial push. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist