Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses unprepared for an assault. Different iterations of ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, as well as more as yet unnamed newcomers, not only encrypt on-line data but also infect all configured system backup. Files synchronized to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can render automatic restore operations impossible and basically knocks the network back to square one.
Restoring applications and data following a ransomware attack becomes a sprint against time as the targeted organization tries its best to stop lateral movement and clear the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched at night, when attacks in many cases take longer to recognize. This compounds the difficulty of promptly marshalling and organizing a capable response team.
Progent provides a range of solutions for protecting Raleigh businesses from crypto-ransomware attacks. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for endpoint detection and response (EDR) using SentinelOne's behavior-based threat protection to detect and quarantine day-zero malware assaults. Progent also provides the services of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a compromised system as urgently as possible.
Progent's Ransomware Recovery Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller organizations. The fallback is to piece back together the critical components of your Information Technology environment. Without access to essential information backups, this requires a wide complement of skill sets, professional project management, and the ability to work 24x7 until the recovery project is finished.
For two decades, Progent has provided expert Information Technology services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience provides Progent the skills to efficiently ascertain necessary systems and re-organize the surviving pieces of your Information Technology environment following a crypto-ransomware attack and assemble them into an operational system.
Progent's recovery team has powerful project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to put key services back on line as soon as humanly possible.
Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business sought out Progent after their network system was brought down by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean government sponsored hackers, possibly adopting approaches exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is one of the most profitable instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in Chicago and has around 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's information backups had been online at the time of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but ultimately brought in Progent.
"I cannot thank you enough in regards to the support Progent gave us throughout the most critical time of (our) businesses survival. We would have paid the criminal gangs except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and production applications back into operation quicker than five days was incredible. Each consultant I got help from or e-mailed at Progent was hell bent on getting our system up and was working day and night on our behalf."
Progent worked hand in hand the client to quickly get our arms around and prioritize the key services that needed to be addressed in order to continue departmental functions:
To get going, Progent followed ransomware event mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then started the work of restoring Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the customer's financials and MRP system leveraged Microsoft SQL, which requires Windows AD for authentication to the databases.
- Active Directory
- Electronic Messaging
Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery of critical applications. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate intact OST data files (Outlook Email Offline Folder Files) on user desktop computers in order to recover email messages. A not too old off-line backup of the businesses accounting/MRP software made them able to restore these vital applications back available to users. Although a large amount of work remained to recover totally from the Ryuk attack, essential services were restored rapidly:
"For the most part, the manufacturing operation was never shut down and we produced all customer orders."
Over the following few weeks critical milestones in the restoration process were made in tight cooperation between Progent team members and the client:
- In-house web sites were returned to operation with no loss of data.
- The MailStore Exchange Server exceeding 4 million historical emails was brought online and available for users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent operational.
- A new Palo Alto Networks 850 firewall was deployed.
- 90% of the user workstations were functioning as before the incident.
"Much of what transpired those first few days is mostly a fog for me, but my team will not forget the countless hours all of you put in to help get our business back. I've trusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered as promised. This situation was a stunning achievement."
A possible business-killing catastrophe was averted through the efforts of dedicated professionals, a broad spectrum of subject matter expertise, and tight collaboration. Although in post mortem the ransomware attack detailed here would have been identified and prevented with up-to-date security systems and recognized best practices, user and IT administrator training, and properly executed incident response procedures for information protection and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we made it over the initial push. All of you did an amazing effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Cleanup Case Study Datasheet
To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting in Raleigh
For ransomware system recovery services in the Raleigh metro area, phone Progent at 800-462-8800 or go to Contact Progent.