Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware has become an escalating cyber pandemic that represents an existential danger for organizations unprepared for an assault. Versions of crypto-ransomware such as CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and continue to cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of on-line information but also infect most available system backups. Files synched to the cloud can also be corrupted. In a vulnerable environment, it can render any restoration useless and effectively knocks the datacenter back to zero.
Getting back online programs and data following a ransomware event becomes a race against the clock as the victim fights to contain and cleanup the virus and to resume mission-critical activity. Since ransomware needs time to move laterally, penetrations are frequently launched on weekends, when penetrations typically take longer to recognize. This multiplies the difficulty of rapidly mobilizing and coordinating a knowledgeable mitigation team.
Progent offers a range of solutions for securing Raleigh enterprises from crypto-ransomware penetrations. These include staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence capabilities to intelligently detect and suppress new cyber attacks. Progent also provides the services of seasoned ransomware recovery professionals with the talent and commitment to reconstruct a breached network as urgently as possible.
Progent's Ransomware Recovery Help
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the codes to decipher all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for small businesses. The alternative is to re-install the vital parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a broad complement of skill sets, top notch team management, and the ability to work 24x7 until the recovery project is finished.
For decades, Progent has offered professional Information Technology services for companies throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly identify necessary systems and re-organize the remaining pieces of your network environment following a ransomware penetration and configure them into a functioning system.
Progent's ransomware group deploys state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and together with a client's management and Information Technology resources to prioritize tasks and to get key applications back on line as fast as possible.
Customer Story: A Successful Ransomware Incident Recovery
A client contacted Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is among the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago and has about 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's information backups had been online at the start of the intrusion and were encrypted. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately reached out to Progent.
"I cannot thank you enough in regards to the care Progent gave us during the most stressful time of (our) companyís life. We would have paid the criminal gangs if not for the confidence the Progent team gave us. That you could get our e-mail and essential applications back online sooner than a week was amazing. Each person I spoke to or texted at Progent was laser focused on getting us back on-line and was working breakneck pace to bail us out."
Progent worked together with the customer to quickly determine and assign priority to the most important systems that needed to be addressed in order to continue business operations:
To get going, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then began the steps of restoring Microsoft AD, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businessesí financials and MRP system used Microsoft SQL Server, which needs Active Directory services for access to the databases.
- Active Directory
- Accounting and Manufacturing Software
Within two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery of mission critical applications. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Data Files) on various workstations in order to recover email information. A not too old off-line backup of the client's accounting/MRP systems made them able to restore these required programs back available to users. Although a large amount of work still had to be done to recover fully from the Ryuk attack, critical systems were returned to operations quickly:
"For the most part, the assembly line operation did not miss a beat and we delivered all customer orders."
During the next couple of weeks critical milestones in the restoration project were achieved through tight cooperation between Progent team members and the client:
- In-house web sites were returned to operation without losing any information.
- The MailStore Microsoft Exchange Server containing more than 4 million archived messages was spun up and available for users.
- CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely restored.
- A new Palo Alto 850 firewall was installed.
- 90% of the user workstations were operational.
"A huge amount of what transpired that first week is mostly a haze for me, but our team will not soon forget the dedication each and every one of you accomplished to help get our business back. I have been working with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This time was a stunning achievement."
A potential business extinction disaster was avoided through the efforts of dedicated professionals, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the ransomware virus attack detailed here would have been identified and disabled with current cyber security technology solutions and best practices, user education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, removal, and file restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), Iím grateful for making it so I could get rested after we got over the initial push. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is on me!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist