Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level threat for organizations unprepared for an assault. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Egregor, plus more unnamed newcomers, not only do encryption of on-line information but also infect many accessible system backup. Information synchronized to cloud environments can also be ransomed. In a vulnerable system, it can render any restore operations hopeless and effectively sets the entire system back to square one.
Getting back applications and information following a ransomware event becomes a sprint against the clock as the targeted organization fights to stop lateral movement and clear the ransomware and to restore enterprise-critical activity. Because ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when attacks typically take more time to notice. This compounds the difficulty of promptly marshalling and coordinating a qualified response team.
Progent makes available an assortment of help services for protecting Ribeirão Preto organizations from ransomware events. Among these are user training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for endpoint detection and response utilizing SentinelOne's behavior-based cyberthreat protection to identify and quarantine day-zero modern malware assaults. Progent also provides the assistance of seasoned crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised environment as urgently as possible.
Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decipher any or all of your files. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000 for small businesses. The fallback is to piece back together the key parts of your Information Technology environment. Without access to complete data backups, this requires a wide range of skills, well-coordinated team management, and the ability to work 24x7 until the job is finished.
For two decades, Progent has offered expert Information Technology services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably ascertain critical systems and integrate the surviving pieces of your computer network environment following a crypto-ransomware event and rebuild them into an operational network.
Progent's security team uses best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of working rapidly and in unison with a customer's management and IT staff to assign priority to tasks and to get essential services back online as soon as possible.
Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, possibly using strategies leaked from America's National Security Agency. Ryuk attacks specific organizations with limited room for operational disruption and is among the most lucrative iterations of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately reached out to Progent.
"I can't speak enough in regards to the care Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the criminal gangs if it wasn't for the confidence the Progent group gave us. That you could get our e-mail system and important applications back faster than five days was incredible. Every single consultant I interacted with or e-mailed at Progent was urgently focused on getting us working again and was working breakneck pace on our behalf."
Progent worked with the customer to quickly assess and prioritize the mission critical areas that needed to be restored to make it possible to continue business operations:
To get going, Progent followed ransomware incident response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the steps of rebuilding Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's financials and MRP software leveraged SQL Server, which depends on Active Directory services for security authorization to the databases.
- Windows Active Directory
- Exchange Server
In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on essential servers. All Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Folder Files) on team workstations to recover email messages. A not too old offline backup of the businesses accounting/ERP systems made them able to restore these essential programs back on-line. Although a lot of work was left to recover completely from the Ryuk attack, essential systems were restored rapidly:
"For the most part, the manufacturing operation showed little impact and we produced all customer shipments."
Throughout the following few weeks important milestones in the restoration process were made through close collaboration between Progent consultants and the client:
- Internal web sites were returned to operation without losing any information.
- The MailStore Server containing more than 4 million archived emails was brought online and accessible to users.
- CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control capabilities were 100 percent restored.
- A new Palo Alto Networks 850 security appliance was installed.
- Ninety percent of the user desktops were fully operational.
"A lot of what was accomplished that first week is mostly a blur for me, but I will not soon forget the urgency each and every one of your team put in to give us our company back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a testament to your capabilities."
A possible business extinction disaster was averted through the efforts of top-tier professionals, a wide array of IT skills, and tight collaboration. Although upon completion of forensics the ransomware incident described here should have been identified and stopped with advanced security systems and security best practices, user and IT administrator training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for letting me get rested after we got through the most critical parts. All of you did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Cleanup Consulting Services in Ribeirão Preto
For ransomware recovery services in the Ribeirão Preto metro area, call Progent at 800-462-8800 or see Contact Progent.