Crypto-Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and continue to inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, along with frequent as yet unnamed newcomers, not only do encryption of online information but also infiltrate many available system restores and backups. Data replicated to the cloud can also be ransomed. In a vulnerable data protection solution, it can render automated restoration hopeless and basically sets the datacenter back to square one.
Getting back on-line services and data following a ransomware outage becomes a sprint against time as the targeted business struggles to stop lateral movement and remove the virus and to restore mission-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are usually launched during nights and weekends, when attacks typically take more time to uncover. This multiplies the difficulty of quickly mobilizing and orchestrating a capable mitigation team.
Progent makes available a range of services for protecting Midtown Manhattan businesses from crypto-ransomware penetrations. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology to rapidly detect and disable day-zero cyber threats. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the skills and commitment to reconstruct a breached system as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
After a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the codes to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimated to be around $13,000 for smaller businesses. The fallback is to piece back together the vital parts of your Information Technology environment. Absent the availability of essential system backups, this requires a wide complement of skill sets, top notch project management, and the ability to work 24x7 until the recovery project is completed.
For twenty years, Progent has made available expert IT services for companies throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience affords Progent the ability to quickly determine critical systems and organize the surviving pieces of your computer network environment following a crypto-ransomware event and rebuild them into an operational system.
Progent's recovery team of experts uses state-of-the-art project management applications to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology resources to prioritize tasks and to get key systems back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk targets specific businesses with limited ability to sustain operational disruption and is among the most lucrative versions of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200K) and praying for good luck, but in the end brought in Progent.
"I cannot say enough about the help Progent gave us during the most stressful period of (our) businesses existence. We had little choice but to pay the Hackers if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical applications back online quicker than five days was incredible. Every single expert I got help from or messaged at Progent was absolutely committed on getting our system up and was working at all hours on our behalf."
Progent worked hand in hand the customer to rapidly get our arms around and prioritize the mission critical systems that needed to be recovered in order to continue departmental functions:
To start, Progent followed AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and removing active viruses. Progent then began the steps of rebuilding Microsoft Active Directory, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the businessesí accounting and MRP applications used Microsoft SQL Server, which depends on Windows AD for security authorization to the databases.
- Microsoft Active Directory
- MRP System
Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then initiated reinstallations and storage recovery of essential servers. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Data Files) on various PCs in order to recover mail messages. A recent offline backup of the client's accounting/MRP software made it possible to restore these vital services back servicing users. Although major work remained to recover totally from the Ryuk attack, the most important services were restored quickly:
"For the most part, the production line operation survived unscathed and we produced all customer shipments."
During the next few weeks important milestones in the restoration project were accomplished in tight collaboration between Progent consultants and the client:
- Internal web sites were brought back up with no loss of data.
- The MailStore Exchange Server with over four million archived messages was brought online and accessible to users.
- CRM/Product Ordering/Invoices/AP/AR/Inventory modules were fully functional.
- A new Palo Alto 850 security appliance was deployed.
- Nearly all of the user workstations were back into operation.
"So much of what occurred during the initial response is mostly a haze for me, but we will not soon forget the dedication all of you accomplished to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was the most impressive ever."
A potential business-ending disaster was averted by hard-working professionals, a broad range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware penetration detailed here should have been stopped with modern cyber security systems and best practices, staff education, and appropriate security procedures for data backup and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, mitigation, and data recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for allowing me to get rested after we made it over the first week. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist