Crypto-Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Different iterations of ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and continue to cause harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, as well as daily unnamed newcomers, not only do encryption of on-line data but also infiltrate all accessible system restores and backups. Information synched to the cloud can also be encrypted. In a vulnerable environment, this can render automated restoration hopeless and basically knocks the entire system back to square one.
Getting back programs and data following a crypto-ransomware event becomes a sprint against time as the targeted business fights to stop lateral movement and remove the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to replicate, assaults are usually sprung during weekends and nights, when penetrations typically take more time to uncover. This compounds the difficulty of rapidly marshalling and organizing an experienced mitigation team.
Progent provides a variety of support services for securing Boston enterprises from ransomware attacks. Among these are team education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning technology to rapidly identify and extinguish day-zero threats. Progent also provides the assistance of veteran ransomware recovery professionals with the talent and perseverance to restore a breached network as soon as possible.
Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will return the needed codes to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimated to be in the range of $13,000 for smaller organizations. The other path is to re-install the vital components of your IT environment. Without the availability of complete data backups, this calls for a wide complement of skill sets, professional project management, and the willingness to work 24x7 until the recovery project is complete.
For two decades, Progent has made available professional Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP software solutions. This breadth of experience gives Progent the capability to quickly identify critical systems and re-organize the surviving pieces of your computer network environment following a ransomware penetration and configure them into an operational system.
Progent's recovery team of experts has best of breed project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working quickly and together with a client's management and IT staff to prioritize tasks and to put the most important applications back on-line as soon as possible.
Customer Story: A Successful Crypto-Ransomware Virus Response
A customer contacted Progent after their network was attacked by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored hackers, possibly using technology leaked from America’s NSA organization. Ryuk targets specific organizations with limited ability to sustain operational disruption and is among the most profitable versions of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 employees. The Ryuk attack had disabled all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200K) and praying for good luck, but in the end called Progent.
"I cannot tell you enough in regards to the help Progent gave us throughout the most critical time of (our) businesses survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts afforded us. That you were able to get our e-mail and essential applications back on-line quicker than seven days was amazing. Each expert I got help from or e-mailed at Progent was urgently focused on getting us back on-line and was working at all hours on our behalf."
Progent worked with the customer to quickly identify and assign priority to the essential applications that needed to be restored to make it possible to resume company operations:
To get going, Progent adhered to ransomware incident mitigation industry best practices by isolating and removing active viruses. Progent then began the steps of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Exchange email will not work without AD, and the businesses’ accounting and MRP software utilized Microsoft SQL, which depends on Active Directory services for authentication to the databases.
- Microsoft Active Directory
- Exchange Server
- Accounting and Manufacturing Software
Within two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery of critical servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Data Files) on team PCs and laptops in order to recover mail messages. A recent offline backup of the customer’s accounting software made it possible to return these vital programs back on-line. Although a lot of work was left to recover fully from the Ryuk virus, core services were returned to operations rapidly:
"For the most part, the production manufacturing operation survived unscathed and we did not miss any customer sales."
Over the following month key milestones in the recovery process were completed through close cooperation between Progent engineers and the client:
- In-house web applications were returned to operation without losing any data.
- The MailStore Server with over four million archived emails was restored to operations and accessible to users.
- CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were completely functional.
- A new Palo Alto Networks 850 security appliance was brought on-line.
- Ninety percent of the user desktops and notebooks were fully operational.
"So much of what happened those first few days is mostly a blur for me, but my management will not forget the urgency each and every one of the team put in to give us our business back. I have entrusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This time was no exception but maybe more Herculean."
A probable business-ending catastrophe was evaded through the efforts of dedicated professionals, a wide spectrum of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware virus incident described here should have been identified and stopped with modern cyber security systems and recognized best practices, team education, and properly executed incident response procedures for data protection and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, remember that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and information systems restoration.
"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were involved), thanks very much for letting me get some sleep after we made it over the initial push. Everyone did an amazing job, and if any of your guys is around the Chicago area, dinner is the least I can do!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
File body_ransomware_recovery_contact_city.asp does not exist