Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware has become an escalating cyberplague that poses an existential danger for organizations unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch and Egregor, plus additional as yet unnamed newcomers, not only do encryption of on-line critical data but also infect any accessible system protection. Data synched to cloud environments can also be rendered useless. In a poorly designed system, it can make automatic restoration impossible and basically sets the datacenter back to zero.
Getting back on-line applications and information following a ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement and clear the ransomware and to resume enterprise-critical operations. Because ransomware requires time to replicate, attacks are frequently launched during nights and weekends, when penetrations tend to take longer to notice. This compounds the difficulty of rapidly marshalling and organizing a capable response team.
Progent has a range of support services for securing Durham enterprises from ransomware events. These include team member education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security gateways with artificial intelligence capabilities to intelligently identify and extinguish new threats. Progent in addition can provide the services of veteran ransomware recovery professionals with the skills and perseverance to restore a compromised system as soon as possible.
Progent's Ransomware Restoration Help
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decipher all your data. Kaspersky determined that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimated to be approximately $13,000 for smaller businesses. The other path is to setup from scratch the key components of your IT environment. Absent the availability of full data backups, this requires a broad complement of IT skills, professional team management, and the willingness to work 24x7 until the recovery project is completed.
For decades, Progent has provided expert IT services for companies throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise affords Progent the ability to quickly ascertain necessary systems and organize the remaining pieces of your network environment after a crypto-ransomware attack and rebuild them into an operational system.
Progent's ransomware team of experts utilizes best of breed project management applications to orchestrate the sophisticated restoration process. Progent understands the urgency of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put critical systems back on line as fast as humanly possible.
Client Story: A Successful Ransomware Virus Response
A business escalated to Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored criminal gangs, suspected of using algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is one of the most profitable incarnations of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk event had shut down all business operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for the best, but ultimately engaged Progent.
"I cannot thank you enough in regards to the support Progent provided us during the most critical period of (our) companyís survival. We had little choice but to pay the cybercriminals except for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important applications back into operation quicker than one week was amazing. Every single expert I interacted with or communicated with at Progent was laser focused on getting our system up and was working non-stop to bail us out."
Progent worked with the client to quickly get our arms around and assign priority to the essential systems that needed to be addressed in order to resume business functions:
To start, Progent adhered to ransomware event response industry best practices by stopping lateral movement and removing active viruses. Progent then started the task of bringing back online Microsoft AD, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the client's MRP system utilized SQL Server, which depends on Windows AD for access to the data.
- Windows Active Directory
- Microsoft Exchange Email
Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then performed rebuilding and storage recovery on key systems. All Exchange Server ties and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Data Files) on staff workstations in order to recover mail data. A not too old offline backup of the client's accounting/ERP software made them able to recover these vital applications back servicing users. Although significant work was left to recover totally from the Ryuk event, critical systems were returned to operations quickly:
"For the most part, the manufacturing operation never missed a beat and we did not miss any customer shipments."
During the next couple of weeks important milestones in the restoration project were completed in close cooperation between Progent team members and the customer:
- Internal web applications were brought back up without losing any data.
- The MailStore Server with over four million historical messages was brought online and accessible to users.
- CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control modules were completely recovered.
- A new Palo Alto Networks 850 firewall was installed.
- 90% of the desktop computers were being used by staff.
"A huge amount of what went on in the early hours is nearly entirely a haze for me, but our team will not soon forget the commitment each and every one of you accomplished to give us our company back. Iíve entrusted Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."
A possible business disaster was evaded through the efforts of hard-working experts, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been shut down with advanced cyber security technology solutions and recognized best practices, user education, and well designed security procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and data restoration.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), Iím grateful for allowing me to get rested after we made it past the initial push. All of you did an fabulous job, and if anyone is in the Chicago area, a great meal is the least I can do!"
Download the Ransomware Removal Case Study Datasheet
To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist