Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different versions of ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit and Egregor, as well as frequent as yet unnamed newcomers, not only do encryption of online files but also infect many configured system backup. Information synched to cloud environments can also be rendered useless. In a poorly architected system, it can make automatic recovery impossible and basically sets the network back to square one.
Getting back applications and information after a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware needs time to spread, attacks are frequently sprung during nights and weekends, when penetrations typically take more time to identify. This multiplies the difficulty of quickly marshalling and organizing an experienced mitigation team.
Progent offers a variety of support services for protecting San Juan enterprises from crypto-ransomware attacks. These include staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's AI-based threat protection to discover and suppress day-zero modern malware attacks. Progent in addition can provide the assistance of expert crypto-ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as urgently as possible.
Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be around $13,000 for small businesses. The alternative is to setup from scratch the essential parts of your IT environment. Without access to complete data backups, this requires a wide complement of skills, top notch project management, and the capability to work non-stop until the job is done.
For twenty years, Progent has provided professional Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience gives Progent the ability to knowledgably understand critical systems and consolidate the surviving pieces of your network environment following a ransomware penetration and configure them into a functioning network.
Progent's security group has best of breed project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting quickly and together with a customer's management and IT team members to prioritize tasks and to get the most important systems back online as fast as possible.
Client Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, possibly using approaches leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little or no tolerance for disruption and is among the most profitable iterations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 staff members. The Ryuk event had disabled all company operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately made the decision to use Progent.
"I can't tell you enough about the care Progent provided us during the most stressful period of (our) company's life. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group provided us. That you were able to get our e-mail system and key applications back into operation in less than seven days was beyond my wildest dreams. Each expert I worked with or communicated with at Progent was urgently focused on getting us operational and was working breakneck pace to bail us out."
Progent worked with the client to rapidly understand and prioritize the essential services that needed to be addressed in order to resume company functions:
To get going, Progent followed Anti-virus incident response best practices by stopping lateral movement and disinfecting systems. Progent then initiated the process of bringing back online Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Exchange email will not function without AD, and the client's MRP applications leveraged SQL Server, which needs Windows AD for authentication to the information.
- Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of essential applications. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Email Offline Folder Files) on user workstations to recover mail information. A not too old offline backup of the customer's accounting/ERP systems made them able to recover these required services back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk event, the most important services were recovered quickly:
"For the most part, the assembly line operation showed little impact and we made all customer deliverables."
Throughout the next few weeks key milestones in the restoration project were completed through close cooperation between Progent engineers and the customer:
- In-house web sites were restored without losing any information.
- The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought on-line and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory modules were fully operational.
- A new Palo Alto 850 security appliance was deployed.
- Most of the user workstations were operational.
"Much of what occurred during the initial response is nearly entirely a haze for me, but we will not forget the urgency each and every one of you put in to help get our business back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was a stunning achievement."
A potential enterprise-killing disaster was dodged with dedicated professionals, a wide array of technical expertise, and close collaboration. Although in hindsight the crypto-ransomware penetration described here could have been stopped with modern cyber security technology and best practices, team training, and well designed security procedures for data backup and applying software patches, the fact remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get rested after we got over the initial fire. All of you did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Ransomware Remediation Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in San Juan
For ransomware system restoration expertise in the San Juan area, phone Progent at 800-462-8800 or visit Contact Progent.