Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations poorly prepared for an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Nephilim, plus more as yet unnamed viruses, not only encrypt on-line critical data but also infect any available system protection. Information synchronized to the cloud can also be corrupted. In a poorly designed environment, it can make any recovery useless and basically knocks the entire system back to square one.
Retrieving programs and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business struggles to stop lateral movement and remove the virus and to resume enterprise-critical activity. Due to the fact that ransomware needs time to spread, attacks are usually sprung on weekends and holidays, when successful attacks tend to take more time to recognize. This compounds the difficulty of promptly mobilizing and orchestrating a capable mitigation team.
Progent makes available a range of help services for protecting Midtown Manhattan enterprises from crypto-ransomware attacks. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities to quickly detect and extinguish zero-day cyber threats. Progent in addition offers the services of experienced ransomware recovery engineers with the talent and commitment to reconstruct a breached system as soon as possible.
Progent's Ransomware Recovery Help
Subsequent to a ransomware attack, paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000 for smaller organizations. The other path is to piece back together the essential parts of your IT environment. Without access to full information backups, this calls for a wide range of skills, well-coordinated team management, and the ability to work 24x7 until the task is finished.
For decades, Progent has made available professional IT services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of expertise affords Progent the ability to efficiently identify necessary systems and integrate the surviving parts of your computer network environment following a ransomware attack and rebuild them into an operational network.
Progent's ransomware team deploys powerful project management systems to orchestrate the complex restoration process. Progent understands the importance of acting quickly and in unison with a client's management and IT staff to assign priority to tasks and to get key systems back on line as fast as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A client escalated to Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored cybercriminals, possibly using technology exposed from the United States NSA organization. Ryuk seeks specific companies with little ability to sustain operational disruption and is one of the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk event had brought down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.
"I canít thank you enough about the care Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team provided us. The fact that you could get our e-mail system and key applications back faster than a week was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was hell bent on getting us back online and was working 24/7 on our behalf."
Progent worked with the client to quickly assess and prioritize the mission critical systems that needed to be restored to make it possible to continue business functions:
To start, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and removing active viruses. Progent then initiated the steps of rebuilding Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businessesí MRP software used SQL Server, which requires Active Directory services for access to the database.
- Windows Active Directory
- Electronic Mail
In less than 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery on key applications. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on various workstations and laptops to recover mail data. A recent off-line backup of the client's manufacturing systems made them able to return these vital applications back online. Although a lot of work still had to be done to recover totally from the Ryuk event, essential services were returned to operations quickly:
"For the most part, the production manufacturing operation showed little impact and we did not miss any customer deliverables."
Throughout the following couple of weeks critical milestones in the recovery project were completed in tight cooperation between Progent consultants and the client:
- In-house web sites were returned to operation with no loss of information.
- The MailStore Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were 100% restored.
- A new Palo Alto Networks 850 security appliance was set up and programmed.
- Nearly all of the user desktops and notebooks were fully operational.
"A lot of what went on during the initial response is nearly entirely a fog for me, but we will not forget the dedication all of you put in to give us our company back. I have been working together with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered. This situation was a Herculean accomplishment."
A likely company-ending catastrophe was averted through the efforts of dedicated professionals, a wide array of technical expertise, and close teamwork. Although in retrospect the ransomware virus incident described here would have been stopped with current cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, remediation, and information systems recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thank you for letting me get some sleep after we got through the initial fire. Everyone did an amazing effort, and if anyone is visiting the Chicago area, a great meal is my treat!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist