Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses poorly prepared for an assault. Different iterations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, along with more unnamed newcomers, not only do encryption of online information but also infect all accessible system backups. Data synchronized to cloud environments can also be encrypted. In a poorly architected data protection solution, this can render automated restoration hopeless and basically knocks the network back to zero.
Restoring programs and information after a ransomware attack becomes a sprint against time as the victim fights to stop lateral movement and remove the ransomware and to resume mission-critical operations. Since ransomware needs time to replicate, penetrations are often sprung on weekends and holidays, when successful penetrations typically take more time to notice. This multiplies the difficulty of rapidly mobilizing and coordinating a qualified mitigation team.
Progent offers a range of services for securing San Juan enterprises from crypto-ransomware events. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence technology to rapidly identify and quarantine zero-day cyber threats. Progent also offers the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the codes to unencrypt any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimated to be approximately $13,000 for small organizations. The fallback is to setup from scratch the vital elements of your IT environment. Without access to complete data backups, this requires a wide complement of skill sets, top notch team management, and the ability to work continuously until the job is done.
For decades, Progent has offered expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise gives Progent the skills to knowledgably ascertain critical systems and re-organize the remaining parts of your computer network environment following a crypto-ransomware attack and rebuild them into an operational system.
Progent's security team of experts deploys state-of-the-art project management systems to orchestrate the complex recovery process. Progent knows the urgency of working rapidly and in concert with a customerís management and Information Technology team members to assign priority to tasks and to get essential services back on line as fast as possible.
Customer Story: A Successful Ransomware Intrusion Response
A client sought out Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, suspected of using techniques leaked from Americaís NSA organization. Ryuk targets specific organizations with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk penetration had paralyzed all company operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200K) and hoping for the best, but in the end utilized Progent.
"I canít say enough in regards to the help Progent provided us throughout the most critical time of (our) companyís existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent group gave us. That you were able to get our e-mail system and key servers back online sooner than 1 week was incredible. Every single expert I interacted with or communicated with at Progent was urgently focused on getting us back online and was working all day and night to bail us out."
Progent worked together with the client to quickly understand and prioritize the most important services that had to be recovered to make it possible to continue business operations:
To get going, Progent followed Anti-virus event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of recovering Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without AD, and the customerís financials and MRP software leveraged SQL Server, which requires Active Directory for security authorization to the database.
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
Within two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery on critical servers. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Offline Data Files) on various PCs in order to recover mail messages. A recent offline backup of the businesses financials/MRP software made it possible to restore these vital applications back available to users. Although major work remained to recover completely from the Ryuk attack, core systems were returned to operations quickly:
"For the most part, the production line operation ran fairly normal throughout and we produced all customer orders."
Throughout the following few weeks critical milestones in the recovery process were completed in close cooperation between Progent consultants and the client:
- Self-hosted web sites were restored without losing any data.
- The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
- CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were completely functional.
- A new Palo Alto 850 firewall was set up.
- 90% of the desktop computers were functioning as before the incident.
"Much of what transpired that first week is mostly a haze for me, but we will not soon forget the dedication each of your team put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and every time Progent has shined and delivered. This time was a life saver."
A probable business-ending catastrophe was averted with top-tier professionals, a broad spectrum of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware incident described here could have been blocked with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for backup and proper patching controls, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, removal, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for allowing me to get rested after we got through the initial push. All of you did an incredible job, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist