Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that presents an existential threat for businesses vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit and Nephilim, plus additional as yet unnamed newcomers, not only do encryption of online data files but also infiltrate all available system backups. Data synched to off-site disaster recovery sites can also be ransomed. In a vulnerable system, this can make automatic restoration useless and effectively knocks the datacenter back to zero.
Getting back online programs and information after a ransomware event becomes a race against the clock as the targeted organization struggles to stop lateral movement and eradicate the crypto-ransomware and to resume business-critical operations. Because crypto-ransomware takes time to spread, penetrations are frequently sprung on weekends and holidays, when successful attacks tend to take longer to uncover. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.
Progent makes available a variety of services for securing Virginia Beach businesses from ransomware events. Among these are team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning capabilities to automatically discover and extinguish day-zero threats. Progent in addition provides the services of experienced crypto-ransomware recovery engineers with the track record and perseverance to rebuild a breached system as quickly as possible.
Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the keys to decipher any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for small businesses. The other path is to re-install the key parts of your IT environment. Without access to full data backups, this requires a wide range of IT skills, professional project management, and the willingness to work continuously until the task is complete.
For twenty years, Progent has made available professional IT services for companies across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to quickly understand necessary systems and integrate the remaining pieces of your Information Technology environment after a crypto-ransomware penetration and rebuild them into a functioning network.
Progent's recovery group utilizes state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of working rapidly and in unison with a customerís management and Information Technology staff to assign priority to tasks and to put essential systems back on-line as fast as possible.
Customer Story: A Successful Ransomware Intrusion Recovery
A client sought out Progent after their network was brought down by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state hackers, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no room for disruption and is one of the most profitable instances of ransomware malware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with about 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for the best, but ultimately utilized Progent.
"I cannot speak enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We would have paid the hackers behind this attack except for the confidence the Progent team provided us. The fact that you could get our e-mail and essential applications back into operation faster than 1 week was amazing. Each person I spoke to or texted at Progent was amazingly focused on getting our company operational and was working 24 by 7 on our behalf."
Progent worked together with the client to quickly determine and prioritize the most important systems that had to be restored to make it possible to restart business functions:
To get going, Progent adhered to Anti-virus penetration response best practices by halting lateral movement and cleaning systems of viruses. Progent then started the work of recovering Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Active Directory, and the customerís financials and MRP software leveraged SQL Server, which needs Active Directory services for security authorization to the data.
- Microsoft Active Directory
- Microsoft Exchange
In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery of needed servers. All Exchange ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Offline Folder Files) on team PCs in order to recover email data. A not too old offline backup of the customerís financials/MRP software made it possible to recover these essential services back online. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important systems were returned to operations rapidly:
"For the most part, the production manufacturing operation was never shut down and we delivered all customer sales."
Throughout the next couple of weeks key milestones in the recovery project were accomplished in tight cooperation between Progent team members and the customer:
- Internal web applications were restored without losing any data.
- The MailStore Exchange Server exceeding four million historical emails was restored to operations and accessible to users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were 100 percent functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Most of the desktops and laptops were fully operational.
"So much of what went on in the initial days is nearly entirely a fog for me, but our team will not forget the countless hours all of the team put in to help get our business back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."
A potential company-ending catastrophe was dodged by top-tier experts, a wide array of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus incident detailed here should have been stopped with up-to-date cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed incident response procedures for information backup and applying software patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we made it through the initial push. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Recovery Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist