Crypto-Ransomware : Your Feared IT Disaster
Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of crypto-ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti and Nephilim, as well as daily as yet unnamed newcomers, not only encrypt online data files but also infiltrate many configured system protection. Data synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, this can make automated restore operations impossible and effectively knocks the network back to zero.
Getting back on-line applications and data following a ransomware attack becomes a sprint against the clock as the targeted organization tries its best to contain and eradicate the ransomware and to resume mission-critical operations. Because crypto-ransomware needs time to replicate, assaults are frequently sprung during weekends and nights, when successful penetrations are likely to take more time to detect. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable response team.
Progent provides an assortment of solutions for securing Tucson organizations from crypto-ransomware penetrations. Among these are team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with AI capabilities to quickly discover and disable day-zero cyber attacks. Progent also can provide the services of expert ransomware recovery professionals with the skills and commitment to restore a compromised environment as rapidly as possible.
Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt all your files. Kaspersky determined that 17% of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be around $13,000 for smaller businesses. The other path is to piece back together the key components of your IT environment. Absent access to complete data backups, this calls for a wide range of skill sets, top notch team management, and the capability to work non-stop until the recovery project is over.
For decades, Progent has made available certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain necessary systems and organize the remaining pieces of your IT environment after a crypto-ransomware penetration and assemble them into a functioning system.
Progent's recovery team of experts uses powerful project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put essential applications back on-line as soon as humanly possible.
Business Case Study: A Successful Ransomware Penetration Recovery
A small business engaged Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by North Korean state criminal gangs, possibly adopting approaches exposed from the U.S. NSA organization. Ryuk seeks specific organizations with little room for disruption and is one of the most profitable incarnations of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago with about 500 workers. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the intrusion and were destroyed. The client considered paying the ransom demand (exceeding $200K) and praying for the best, but in the end called Progent.
"I cannot tell you enough in regards to the help Progent provided us during the most stressful time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. That you could get our e-mail and important applications back online in less than a week was amazing. Each expert I spoke to or messaged at Progent was laser focused on getting our system up and was working 24/7 on our behalf."
Progent worked hand in hand the client to quickly get our arms around and assign priority to the key elements that had to be addressed in order to continue business functions:
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of rebuilding Windows Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's MRP system leveraged Microsoft SQL, which depends on Windows AD for access to the data.
- Active Directory (AD)
Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery of needed systems. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble intact OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops to recover email messages. A recent offline backup of the customerís financials/MRP software made them able to recover these essential applications back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, critical systems were recovered rapidly:
"For the most part, the production line operation never missed a beat and we produced all customer orders."
Throughout the following couple of weeks key milestones in the recovery process were completed in tight collaboration between Progent engineers and the client:
- Self-hosted web sites were brought back up with no loss of information.
- The MailStore Server containing more than 4 million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully restored.
- A new Palo Alto 850 security appliance was set up.
- 90% of the user desktops were being used by staff.
"Much of what occurred in the initial days is nearly entirely a fog for me, but I will not soon forget the dedication each of your team accomplished to give us our business back. Iíve utilized Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."
A probable enterprise-killing catastrophe was averted due to dedicated experts, a broad range of technical expertise, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here would have been disabled with advanced cyber security technology and NIST Cybersecurity Framework best practices, staff training, and well designed incident response procedures for data protection and proper patching controls, the reality remains that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it through the initial push. Everyone did an amazing effort, and if any of your guys is in the Chicago area, dinner is my treat!"
Download the Ransomware Removal Case Study Datasheet
To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Expertise in Tucson
For ransomware cleanup expertise in the Tucson metro area, call Progent at 800-462-8800 or see Contact Progent.