Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware has become an escalating cyber pandemic that presents an existential threat for businesses vulnerable to an attack. Versions of crypto-ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit and Egregor, plus additional as yet unnamed viruses, not only encrypt online files but also infect many available system protection. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can make automatic restore operations impossible and basically knocks the network back to zero.
Getting back online programs and information following a ransomware event becomes a race against time as the targeted organization struggles to stop the spread and cleanup the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, penetrations are often launched during weekends and nights, when successful attacks in many cases take longer to detect. This multiplies the difficulty of promptly marshalling and orchestrating a qualified response team.
Progent makes available a range of services for securing Virginia Beach organizations from ransomware events. Among these are team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security gateways with AI capabilities to quickly detect and disable day-zero cyber threats. Progent also offers the assistance of expert ransomware recovery engineers with the track record and perseverance to re-deploy a breached environment as quickly as possible.
Progent's Crypto-Ransomware Recovery Support Services
After a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the needed keys to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to setup from scratch the mission-critical components of your IT environment. Without the availability of complete system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the capability to work continuously until the job is done.
For twenty years, Progent has provided expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the capability to efficiently determine critical systems and integrate the remaining pieces of your Information Technology system after a crypto-ransomware event and assemble them into an operational network.
Progent's recovery group deploys best of breed project management systems to coordinate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to put essential services back on line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Penetration Recovery
A small business engaged Progent after their network was crashed by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using approaches exposed from Americaís NSA organization. Ryuk attacks specific organizations with limited room for disruption and is one of the most lucrative instances of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.
"I cannot tell you enough about the care Progent provided us throughout the most critical period of (our) companyís existence. We had little choice but to pay the criminal gangs except for the confidence the Progent experts gave us. That you were able to get our messaging and production applications back into operation in less than seven days was amazing. Every single expert I talked with or messaged at Progent was absolutely committed on getting us working again and was working non-stop to bail us out."
Progent worked together with the customer to rapidly assess and prioritize the most important applications that had to be restored in order to continue departmental operations:
To begin, Progent followed ransomware incident mitigation industry best practices by halting the spread and removing active viruses. Progent then began the task of bringing back online Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not work without Active Directory, and the client's accounting and MRP software used Microsoft SQL, which requires Active Directory for access to the data.
- Microsoft Active Directory
In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of critical servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Offline Folder Files) on various workstations and laptops in order to recover email data. A not too old offline backup of the customerís financials/ERP software made it possible to return these vital programs back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk event, core systems were recovered rapidly:
"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer sales."
Throughout the next few weeks critical milestones in the restoration project were completed in close collaboration between Progent team members and the customer:
- Self-hosted web applications were restored with no loss of information.
- The MailStore Server containing more than 4 million archived messages was brought online and available for users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were 100 percent recovered.
- A new Palo Alto 850 firewall was brought online.
- Most of the user workstations were back into operation.
"So much of what transpired that first week is nearly entirely a haze for me, but we will not forget the commitment each and every one of you accomplished to help get our company back. Iíve entrusted Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."
A possible business-ending catastrophe was evaded by dedicated professionals, a wide spectrum of knowledge, and close collaboration. Although in retrospect the ransomware virus incident detailed here would have been identified and stopped with modern cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed incident response procedures for backup and applying software patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, removal, and data restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got past the initial fire. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Remediation Case Study Datasheet
To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist